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Abstract. This paper proposes a sound procedure to verify properties 
of communicating session automata (CSA), i.e., communicating automata 
that include multiparty session types. We introduce a new asynchronous 
compatibility property for CSA, called k-multiparty compatibility (k-Mc), 
which is a strict superset of the synchronous multiparty compatibility 
used in theories and tools based on session types. It is decomposed into 
two bounded properties: (i) a condition called k-safety which guaran- 
tees that, within the bound, all sent messages can be received and each 
automaton can make a move; and (ii) a condition called k-erhaustivity 
which guarantees that all k-reachable send actions can be fired within 
the bound. We show that k-exhaustivity implies existential boundedness, 
and soundly and completely characterises systems where each automaton 
behaves equivalently under bounds greater than or equal to k. We show 
that checking k-MC is PSPACE-complete, and demonstrate its scalability 
empirically over large systems (using partial order reduction). 


1 Introduction 


Communicating automata are a Turing-complete model of asynchronous interac- 
tions [10] that has become one of the most prominent for studying point-to-point 
communications over unbounded first-in-first-out channels. This paper focuses 
on a class of communicating automata, called communicating session automata 
(CSA), which strictly includes automata corresponding to asynchronous multi- 
party session types [29]. Session types originated as a typing discipline for the 
m-calculus [28,67], where a session type dictates the behaviour of a process wrt. 
its communications. Session types and related theories have been applied to the 
verification and specification of concurrent and distributed systems through their 
integration in several mainstream programming languages, e.g., Haskell [44,55], 
Erlang [49], Fi [48], Go [11,38, 39,51], Java [31, 32,35, 66], OCaml [56], C [52], 
Python [16, 47,50], Rust [33], and Scala [62,63]. Communicating automata and 
asynchronous multiparty session types [29] are closely related: the latter can be 
seen as a syntactical representation of the former [17] where a sending state cor- 
responds to an internal choice and a receiving state to an external choice. This 
correspondence between communicating automata and multiparty session types 
has become the foundation of many tools centred on session types, e.g., for gen- 
erating communication API from multiparty session (global) types [31,32,48,62], 
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for detecting deadlocks in message-passing programs [51,68], and for monitor- 
ing session-enabled programs [5, 16, 47, 49, 50]. These tools rely on a property 
called multiparty compatibility [6,18,40], which guarantees that communicating 
automata representing session types interact correctly, hence enabling the iden- 
tification of correct protocols or the detection of errors in endpoint programs. 
Multiparty compatible communicating automata validate two essential require- 
ments for session types frameworks: every message that is sent can be eventually 
received and each automaton can always eventually make a move. Thus, they sat- 
isfy the abstract safety invariant ọ for session types from [64], a prerequisite for 
session type systems to guarantee safety of the typed processes. Unfortunately, 
multiparty compatibility suffers from a severe limitation: it requires that each 
execution of the system has a synchronous equivalent. Hence, it rules out many 
correct systems. Hereafter, we refer to this property as synchronous multiparty 
compatibility (SMC) and explain its main limitation with Example 1. 


Example 1. The system in Figure 1 contains an interaction pattern that is not 
supported by any definition of sMc [6,18,40]. It consists of a client (c), a server 
(s), and a logger (1), which communicate via unbounded FIFO channels. Transi- 
tion sr!a denotes that sender puts (asynchronously) message a on channel sr; 
and transition sr?a denotes the consumption of a from channel sr by receiver. 
The client sends a request and some data in a fire-and-forget fashion, before 
waiting for a response from the server. Because of the presence of this simple 
pattern, the system cannot be executed synchronously (i.e., with the restriction 
that a send action can only be fired when a matching receive is enabled), hence 
it is rejected by all definitions of SMC from previous works, even though the 
system is safe (all sent messages are received and no automaton gets stuck). 


Synchronous multiparty compatibility is reminiscent of a strong form of exis- 
tential boundedness. Among the existing sub-classes of communicating automata 
(see [46] for a survey), existentially k-bounded communicating automata [22] 
stand out because they can be model-checked [8,21] and they restrict the model 
in a natural way: any execution can be rescheduled such that the number of 
pending messages that can be received is bounded by k. However, existential 
boundedness is generally undecidable [22], even for a fixed bound k. This short- 
coming makes it impossible to know when theoretical results are applicable. 

To address the limitation of SMC and the shortcoming of existential bounded- 
ness, we propose a (decidable) sufficient condition for existential boundedness, 
called k-exhaustivity, which serves as a basis for a wider notion of new com- 
patibility, called k-multiparty compatibility (k-MC) where k € N>o is a bound 
on the number of pending messages in each channel. A system is k-MC when 
it is (i) k-exhaustive, i.e., all k-reachable send actions are enabled within the 
bound, and (ii) k-safe, i.e., within the bound k, all sent messages can be re- 
ceived and each automaton can always eventually progress. For example, the 
system in Figure 1 is k-multiparty compatible for any k € N>o, hence it does not 
lead to communication errors, see Theorem 1. The k-MC condition is a natural 
constraint for real-world systems. Indeed any finite-state system is k-exhaustive 
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Fig. 1. Client-Server-Logger example. 


(for k sufficiently large), while any system that is not k-exhaustive (resp. k-safe) 
for any k is unlikely to work correctly. Furthermore, we show that if a system of 
CSA validates k-exhaustivity, then each automaton locally behaves equivalently 
under any bound greater than or equal to k, a property that we call local bound- 
agnosticity. We give a sound and complete characterisation of k-exhaustivity for 
CSA in terms of local bound-agnosticity, see Theorem 3. Additionally, we show 
that the complexity of checking k-MC is PSPACE-complete (i.e., no higher than re- 
lated algorithms) and we demonstrate empirically that its cost can be mitigated 
through (sound and complete) partial order reduction. 

In this paper, we consider communicating session automata (CSA), which 
cover the most common form of asynchronous multiparty session types [15] (see 
Remark 3), and have been used as a basis to study properties and extensions of 
session types [6,7, 18, 31,32, 42,43, 47,49, 50]. More precisely, CSA are determin- 
istic automata, whose every state is either sending (internal choice), receiving 
(external choice), or final. We focus on CSA that preserve the intent of internal 
and external choices from session types. In these CSA, whenever an automaton 
is in a sending state, it can fire any transition, no matter whether channels are 
bounded; when it is in a receiving state then at most one action must be enabled. 


Synopsis In § 2, we give the necessary background on communicating automata 
and their properties, and introduce the notions of output /input bound indepen- 
dence which guarantee that internal/external choices are preserved in bounded 
semantics. In § 3, we introduce the definition of k-multiparty compatibility 
(k-MC) and show that k-Mc systems are safe for systems which validate the 
bound independence properties. In § 4, we formally relate existential bound- 
edness [22, 36], synchronisability [9], and k-exhaustivity. In § 5 we present an 
implementation (using partial order reduction) and an experimental evaluation 
of our theory. We discuss related works in § 6 and conclude in § 7. 
Our implementation and benchmark data are available online [34]. 


2 Communicating Automata and Bound Independence 


This section introduces notations and definitions of communicating automata 
(following [12,40]), as well as the notion of output (resp. input) bound indepen- 
dence which enforces the intent of internal (resp. external) choice in CSA. 

Fix a finite set P of participants (ranged over by p, q, r, s, etc.) and a 
finite alphabet ©. The set of channels is C £ {pq | p,q E Pandp # qh, 
AEC x {1,?} x X is the set of actions (ranged over by £), X* (resp. A*) is the 
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set of finite words on X (resp. A). Let w range over X*, and ¢, W range over A*. 
Also, e (¢ X U A) is the empty word, |w| denotes the length of w, and w-w’ is 
the concatenation of w and w’ (these notations are overloaded for words in A*). 


Definition 1 (Communicating automaton). A communicating automaton 
is a finite transition system given by a triple M = (Q,qo,6) where Q is a finite 
set of states, qo € Q is the initial state, and GC QxAxQ is a set of transitions. 


The transitions of a communicating automaton are labelled by actions in A of 
the form sr!a, representing the emission of message a from participant s to r, or 
sr?a representing the reception of a by r. Define subj(pq!a) = subj(qp?a) = p, 
obj (pq!a) = obj(qp?a) = q, and chan(pq!a) = chan(pq?a) = pq. The projection 
of £ onto p is defined as 7,(¢) = £ if subj(¢) = p and m,(¢) = € otherwise. Let f 
range over {!,?}, we define: m,(pata) = a and mi (srta) = ¢ if either pq # sr 
or | # f. We extend these definitions to sequences of actions in the natural way. 

A state q € Q with no outgoing transition is final; q is sending (resp. re- 
ceiving) if it is not final and all its outgoing transitions are labelled by send 
(resp. receive) actions, and q is mixed otherwise. M = (Q, qo, 6) is deterministic 
if Y(q, £,q'), (q4, 8%, q") E 8 : L = V = g = q". M = (Q,q,5) is send (resp. 
receive) directed if for all sending (resp. receiving) q € Q and (q, £, q’), (q, Z, q") € 
ô : obj (£) = obj (V). M is directed if it is send and receive directed. 


Remark 1. In this paper, we consider only deterministic communicating au- 
tomata without mixed states, and call them Communicating Session Automata 
(csa). We discuss possible extensions of our results beyond this class in Section 7. 


Definition 2 (System). Given a communicating automaton Mp = (Qp, dop, Sp) 
for each p € P, the tuple S = (Mp)pep is a system. A configuration of S is a 
pair s = (q;w) where q = (qp)pep with qp E Qp and where w = (Wpq)pgec 
with Wpq E X*; component q is the control state and qp E Qp is the local state of 
automaton Mp. The initial configuration of S is so = (qo; €) where qo = (dop)peP 
and we write e for the |C|-tuple (e,...,€). 


Hereafter, we fix a communicating session automaton Mp = (Qp, qop, dp) for 
each p € P and let S = (M,)pep be the corresponding system whose initial 
configuration is sọ. For each p € P, we assume that V(q, ¢,q') € dp : subj (£) = p. 
We assume that the components of a configuration are named consistently, e.g., 
for s = (q';w’), we implicitly assume that q’ = (q)pep and w’ = (wyq)paec- 


Definition 3 (Reachable configuration). Configuration s' = (q'; w’) is reach- 


able from configuration s = (q;w) by firing transition £, written s 4, sf (or 
s — s' when £ is not relevant), if there are s,re P andae X such that either: 


1. (a) L = sr!a and (qs,£,qs') € 5s, (b) G = q for all p # s, (c) why = Wsr:a 
and Wq = Wpq for all pq # sr; or 

2. (a) L = sr?a and (qr, l, qr’) € br, (b) qp = dp for all p Ax, (c) Wsr = a: Wir, 
and Wy = Wpq for all pq # sr. 
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Remark 2. Hereafter, we assume that any bound k is finite and k € Nxo. 


We write —* for the reflexive and transitive closure of —. Configuration 


(q;w) is k-bounded if Vpq € C : |wpq| < k. We write sı a Sn41 When 
sı i S2° °: Sn Lag Sn+1, for some s2,...,Sn (with n > 0); and say that the 


execution l -ln is k-bounded from sı if V1 < i < n+1 : s; is k-bounded. Given 
p € A*, we write p ¢ diff 6 = ¢o:l:ġı1 = subj(l) # p. We write s 2a s 
if s’ is reachable with a k-bounded execution ¢ from s. The set of reachable 
configurations of S is RS(S) = {s | so —-*s}. The k-reachability set of S is 
the largest subset RS;,(S) of RS(S) within which each configuration s can be 
reached by a k-bounded execution from so. 

Definition 4 streamlines notions of safety from previous works [6, 12, 18, 40] 
(absence of deadlocks, orphan messages, and unspecified receptions). 


Definition 4 (k-Safety). S is k-safe if the following holds Y(q; w) € RS,(S): 


5 
(ER) VpqaEC, if Wpq = a-w, then (q; w) ap pq?a - 


(PG) VpEP, if dp is receiving, then (q; w) —>x* os. forge P andae X. 
We say that S is safe if it validates the unbounded version of k-safety (0-safe). 


Property (ER), called eventual reception, requires that any sent message can 
always eventually be received (i.e., if a is the head of a queue then there must 
be an execution that consumes a), and Property (PG), called progress, requires 
that any automaton in a receiving state can eventually make a move (i.e., it can 
always eventually receive an expected message). 

We say that a configuration s is stable iff s = (q;€), i.e., all its queues 
are empty. Next, we define the stable property for systems of communicating 
automata, following the definition from [18]. 


Definition 5 (Stable). S has the stable property (sP) if Vs e RS(S) : 3(q;€) € 
RS(S) : s >*(q;e). 


A system has the stable property if it is possible to reach a stable config- 
uration from any reachable configuration. This property is called deadlock-free 
in [22]. The stable property implies the eventual reception property, but not 
safety (e.g., an automaton may be waiting for an input in a stable configuration, 
see Example 2), and safety does not imply the stable property, see Example 4. 


Example 2. The following system has the stable property, but it is not safe. 


M; : Ma: ae M, 


? 2b : ? 
gy ee A = pare 

Next, we define two properties related to bound independence. They specify 
classes of CSA whose branching behaviours are not affected by channel bounds. 


pq!a 4 pq!b 


Definition 6 (k-OBI). S is k-output bound independent (k-OBI), if Vs = 


r!b 


(q;w) € RSk(S) and YpEP, ifs Me then Y(qp, pr!b, qp) € Op: $ Pip. 
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Fig. 2. Example of a non-IBI and non-safe system. 


Definition 7 (k-IBI). S is k-input bound independent (k-IB1), if Vs = (q; w) € 
RS;(S) and YpEP, ifs ia, then YLE A:s Ép A subj (l) = p = £ = qp?a. 


If S is k-OBI, then any automaton that reaches a sending state is able to 
fire any of its available transitions, i.e., sending states model internal choices 
which are not constrained by bounds greater than or equal to k. Note that the 
unbounded version of k-OBI (k = ©) is trivially satisfied for any system due to 
unbounded asynchrony. If $ is k-IBI, then any automaton that reaches a receiving 
state is able to fire at most one transition, i.e., receiving states model external 
choices where the behaviour of the receiving automaton is controlled exclusively 
by its environment. We write IBI for the unbounded version of k-IBI (k = 0). 

Checking the IBI property is generally undecidable. However, systems con- 
sisting of (send and receive) directed automata are trivially k-IBI and k-OBI for 
all k, this subclass of CSA was referred to as basic in [18]. We introduce larger 
decidable approximations of IBI with Definitions 10 and 11. 


Proposition 1. (1) If S is send directed, then S is k-OBI for all k e Nyo. (2) If 
S is receive directed, then S is IBI (and k-IBI for all k € No). 


Remark 3. CSA validating k-OBI and IBI strictly include the most common forms 
of asynchronous multiparty session types, e.g., the directed CSA of [18], and sys- 
tems obtained by projecting Scribble specifications (global types) which need to 
be receive directed (this is called “consistent external choice subjects” in [32]) and 
which validate 1-OBI by construction since they are projections of synchronous 
specifications where choices must be located at a unique sender. 


3 Bounded Compatibility for CSA 


In this section, we introduce k-multiparty compatibility (k-MC) and study its 
properties wrt. safety of communicating session automata (CSA) which are k-OBI 
and IBI. Then, we soundly and completely characterise k-exhaustivity in terms 
of local bound-agnosticity, a property which guarantees that communicating 
automata behave equivalently under any bound greater than or equal to k. 


3.1 Multiparty Compatibility 


The definition of k-Mc is divided in two parts: (i) k-exhaustivity guarantees that 
the set of k-reachable configurations contains enough information to make a 
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. | pala ; 4 . qp!b ', qp!b qp!b 
M: Mg: Ne M: 
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Fig. 3. (Mp, M,) is non-exhaustive, (Mp, Nq) is 1-exhaustive, (Mp, Nj) is 2-exhaustive. 


sound decision wrt. safety of the system; and (ii) k-safety (Definition 4) guaran- 
tees that a subset of all possible executions is free of any communication errors. 
Next, we define k-exhaustivity, then k-multiparty compatibility. Intuitively, a 
system is k-exhaustive if for all k-reachable configurations, whenever a send ac- 
tion is enabled, then it can be fired within a k-bounded execution. 


Definition 8 (k-Exhaustivity). S is k-exhaustive if V(q;w) € RS;(S) and 
Vp eP, if dp is sending, then Y(qp, £, qp) € dp : Jd € A* : (q; w) con Ap ¢ od. 


Definition 9 (k-Multiparty compatibility). S is k-multiparty compatible 
(k-MC) if it is k-safe and k-exhaustive. 


Definition 9 is a natural extension of the definitions of synchronous multi- 
party compatibility given in [18, Definition 4.2] and [6, Definition 4]. The com- 
mon key requirements are that every send action must be matched by a receive 
action (i.e., send actions are universally quantified), while at least one receive 
action must find a matching send action (i.e., receive actions are existentially 
quantified). Here, the universal check on send actions is done via the eventual 
reception property (ER) and the k-exhaustivity condition; while the existential 
check on receive actions is dealt with by the progress property (PG). 

Whenever systems are k-OBI and IBI, then k-exhaustivity implies that k- 
bounded executions are sufficient to make a sound decision wrt. safety. This is 
not necessarily the case for systems outside of this class, see Examples 3 and 5. 


Example 3. The system (Mp, Mq, M,) in Figure 2 is k-OBI for any k, but not IBI 
(it is 1-IBI but not k-IBI for any k > 2). When executing with a bound strictly 
greater than 1, there is a configuration where M, is in its initial state and both 
its receive transitions are enabled. The system is 1-safe and 1-exhaustive (hence 
1-Mc) but it is not 2-exhaustive nor 2-safe. By constraining the automata to 
execute with a channel bound of 1, the left branch of M, is prevented to execute 
together with the right branch of M. Thus, the fact that the y messages are not 
received in this case remains invisible in 1-bounded executions. This example can 
be easily extended so that it is n-exhaustive (resp. safe) but not n+1-exhaustive 
(resp. safe) by sending/receiving n+1 a; messages. 


Example 4. The system in Figure 1 is directed and 1-Mc. The system (Mp, Ma) 
in Figure 3 is safe but not k-MC for any finite k e N>o. Indeed, for any execution 
of this system, at least one of the queues grows arbitrarily large. The system 
(Mp, Na) is 1-Mc while the system (Mp, N4) is not 1-mc but it is 2-Mc. 


8 Julien Lange and Nobuko Yoshida 


ps!z | paly rq?z 


Mp : pr!w palv | priu Ma: pa?y M: : 
O 


palv ps!z paru 


Fig. 4. Example of a system which is not 1-oBI. 


Example 5. The system in Figure 4 (without the dotted transition) is 1-MC, but 
not 2-safe; it is not 1-OBI but it is 2-oBI. In 1-bounded executions, M, can 
execute rs!b-rp!z, but it cannot fire rs!b-rs!a (queue rs is full), which violates 
the 1-OBI property. The system with the dotted transition is not 1-OBI, but it is 
2-OBI and k-Mc for any k > 1. Both systems are receive directed, hence IBI. 


Theorem 1. If S is k-OBI, IBI, and k-MC, then it is safe. 


Remark 4. It is undecidable whether there exists a bound k for which an ar- 
bitrary system is k-Mc. This is a consequence of the Turing completeness of 
communicating (session) automata [10, 20, 43]. 


Although the IBI property is generally undecidable, it is possible to identify 
sound approximations, as we show below. We adapt the dependency relation 
from [40] and say that action ¢’ depends on £ from s = (q; w), written s H £< V’, 
iff subj(€) = subj(l’) v (chan(£) = chan(l') A Wehan(e) = €). Action ¢’ depends 
on L in ¢ from s, written s + l <4 l’, if the following holds: 


(SKEKL ABLE <yl)vsb-l<yl ifo=l!- 


sEL Kgl < 
$ t Hez V otherwise 


Definition 10. S is k-chained input bound independent (k-CIBI) if Ys = (q; w) € 
RS;,(S) and Vp € P, ifs ma s’, then V(qp,sp?b,q,) E dp : S#Q = 


=( a k) A (YE E A*: 8! fe = st qp?a <¢ sp!b). 


Definition 11. S is k-strong input bound independent (k-SIBI) if Vs = (q; w) € 
RS;,(S) and Vp € P, ifs e s', then V(qp,sp?b,q,) E dp :s AQ = 


sp?b 
=(s P >k vs! >k 


lb 
x SP >p). 


Definition 10 requires that whenever p can fire a receive action, at most 
one of its receive actions is enabled at s, and no other receive transition from 
qp will be enabled until p has made a move. This is due to the existence of a 
dependency chain between the reception of a message (qp?a) and the matching 
send of another possible reception (sp!b). Property k-SIBI (Definition 11) is a 
stronger version of k-CIBI, which can be checked more efficiently. 


Lemma 1. If S is k-OBI, k-CIBI (resp. k-SIBI) and k-exhaustive, then it is IBI. 
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The decidability of k-OBI, k-IBI, k-SIBI, k-CIBI, and k-MC is straightforward 
since both RS;,(.S) (which has an exponential number of states wrt. k) and >; 
are finite, given a finite k. Theorem 2 states the space complexity of the proce- 
dures, except for k-CIBI for which a complexity class is yet to be determined. We 
show that the properties are PSPACE by reducing to an instance of the reacha- 
bility problem over a transition system built following the construction of Bollig 
et al. [8, Theorem 6.3]. The rest of the proof follows from similar arguments in 
Genest et al. [22, Proposition 5.5] and Bouajjani et al. [9, Theorem 3]. 


Theorem 2. The problems of checking the k-OBI, k-IBI, k-SIBI, k-safety, and 
k-exhaustivity properties are all decidable and PSPACE-complete (with k € No 
given in unary). The problem of checking the k-CIBI property is decidable. 


3.2 Local Bound-Agnosticity 


We introduce local bound-agnosticity and show that it fully characterises k- 
exhaustive systems. Local bound-agnosticity guarantees that each communicat- 
ing automaton behave in the same manner for any bound greater than or equal to 
some k. Therefore such systems may be executed transparently under a bounded 
semantics (a communication model available in Go and Rust). 


Definition 12 (Transition system). The k-bounded transition system of S is 
the labelled transition system (LTS) TSk(S) = (N, so, A) such that N = RS;(S), 
so is the initial configuration of S, ACG NxAxWN is the transition relation, and 
(s,£, 8’) € A if and only if s Lp s. 


Definition 13 (Projection). Let T be an LTS over A. The projection of T 


onto p, written ns(T), is obtained by replacing each label £ in T by m (£). 


Recall that the projection of action £, written 7,(¢), is defined in Section 2. 
The automaton 75(7;,()) is essentially the local behaviour of participant p 
within the transition system TS;,(S). When each automaton in a system S be- 
haves equivalently for any bound greater than or equal to some k, we say that 
S is locally bound-agnostic. Formally, S is locally bound-agnostic for k when 
7 (TS%(S)) and 75(TSn(S)) are weakly bisimilar (~) for each participant p and 
any n > k. For k-OBI and IBI systems, local bound-agnosticity is a necessary and 
sufficient condition for k-exhaustivity, as stated in Theorem 3 and Corollary 1. 


Theorem 3. Let S be a system. 


(1) If ak e Noo: Vp e P : m5 (TS%(S)) ~ me (TSn41(9)), then S is k-exhaustive. 


(2) If S is k-oB1, IBI, and k-exhaustive, then Vp € P:1,(TSx(S)) ~ m5 (TSx+1(S)). 


Corollary 1. Let S be k-OBI and IBI s.t. Vp € P : m5 (TS (S)) ~ m5(TSK41(S)), 
then S is locally bound-agnostic for k. 


Theorem 3 (1) is reminiscent of the (PSPACE-complete) checking procedure 
for existentially bounded systems with the stable property [22] (an undecidable 
property). Recall that k-exhaustivity is not sufficient to guarantee safety, see Ex- 
amples 3 and 5. We give an effective procedure (based on partial order reduction) 
to check k-exhaustivity and related properties in Appendix A. 
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k-OBI and 1B1 Communicating Session Automata 
| AS-k-bounded (Def. 16) 
| J-k-bounded (Def. 15) 

@ k-synchronisable (Def. 17 


Fig.5. Relations between k-exhaustivity, existential k-boundedness, and k- 
synchronisability in k-OBI and IBI CSA (the circled numbers refer to Table 1). 


4 Existentially Bounded and Synchronisable Automata 


4.1 Kuske and Muscholl’s Existential Boundedness 


Existentially bounded communicating automata [21, 22,36] are a class of com- 
municating automata whose executions can always be scheduled in such a way 
that the number of pending messages is bounded by a given value. Traditionally, 
existentially bounded communicating automata are defined on communicating 
automata that feature (local) accepting states and in terms of accepting runs. 
An accepting run is an execution (starting from so) which terminates in a config- 
uration (q; w) where each q is a local accepting state. In our setting, we simply 
consider that every local state qp is an accepting state, hence any execution ¢ 
starting from so is an accepting run. We first study existential boundedness as 
defined in [36] as it matches more closely k-exhaustivity, we study the “classical” 
definition of existential boundedness [22] in Section 4.2. 

Following [36], we say that an execution ¢ € A* is valid if for any prefix 4% 
of ¢ and any channel pq € C, we have that Toal) is a prefix of TaY), i.e., an 
execution is valid if it models the FIFO semantics of communicating automata. 


Definition 14 (Causal equivalence [36]). Given ġ, Y € A*, we define: 6=w 
iff and wp are valid executions and Vp € P : m ($) = m (Y). We write [¢]= for 
the equivalence class of @ wrt. <. 


Definition 15 (Existential boundedness [36]). We say that a valid execu- 
tion ¢ is k-match-bounded if, for every prefix Y of ọ the difference between the 
number of matched events of type pq! and those of type pq? is bounded by k, 
ie., min{lmg(w)],|n2q(0)1} — Imea(v)| < k: 

Write A*|,, for the set of k-match-bounded words. An execution ġ is existentially 
k-bounded if [dla n A*|k # Ø. A system S is existentially k-bounded, written 
4-k-bounded, if each execution in {d | ds: sos} is existentially k-bounded. 


Example 6. Consider Figure 3. (Mp, Ma) is not existentially k-bounded, for any 
k: at least one of the queues must grow infinitely for the system to progress. Sys- 
tems (Mp, Na) and (Mp, N4) are existentially bounded since any of their execu- 
tions can be scheduled to an <-equivalent execution which is 2-match-bounded. 
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The relationship between k-exhaustivity and existential boundedness is stated 
in Theorem 4 and illustrated in Figure 5 for k-OBI and IBI CSA, where SMC refers 
to synchronous multiparty compatibility [18, Definition 4.2]. The circled numbers 
in the figure refer to key examples summarised in Table 1. The strict inclusion of 
k-exhaustivity in existential k-boundedness is due to systems that do not have 
the eventual reception property, see Example 7. 


Example 7. The system below is 4-1-bounded but is not k-exhaustive for any k. 
Mp f >o sp?c Ms : >_> M; > >x sr?a 


For any k, the channel sp eventually gets full and the send action sp!b can no 
longer be fired; hence it does not satisfy k-exhaustivity. Note that each execution 
can be reordered into a 1-match-bounded execution (the b’s are never matched). 


Theorem 4. (1) If S is k-OBI, IBI, and k-exhaustive, then it is 4-k-bounded. 
(2) If S is 3-k-bounded and satisfies eventual reception, then it is k-exhaustive. 


4.2 Existentially Stable Bounded Communicating Automata 


The “classical” definition of existentially bounded communicating automata as 
found in [22] differs slightly from Definition 15, as it relies on a different notion 
of accepting runs, see [22, page 4]. Assuming that all local states are accepting, 
we adapt their definition as follows: a stable accepting run is an execution ¢ 
starting from sq which terminates in a stable configuration. 


Definition 16 (Existential stable boundedness [22]). A system S is ex- 
istentially stable k-bounded, written 4S-k-bounded, if for each execution @ in 


{@ | d(q;€) € RS(S) : so = (q;€)} there is w such that so 2, with oo. 


A system is existentially stable k-bounded if each of its executions leading to 
a stable configuration can be re-ordered into a k-bounded execution (from so). 


Theorem 5. (1) If S is existentially k-bounded, then it is existentially stable 
k-bounded. (2) If S is existentially stable k-bounded and has the stable property, 
then it is existentially k-bounded. 


We illustrate the relationship between existentially stable bounded commu- 
nicating automata and the other classes in Figure 5. The example below further 
illustrates the strictness of the inclusions, see Table 1 for a summary. 


Example 8. Consider the systems in Figure 3. (Mp, Mq) and (Mp, N4) are (triv- 
ially) existentially stable 1-bounded since none of their (non-empty) executions 
terminate in a stable configuration. The system (Mp, Na) is existentially stable 
2-bounded since each of its executions can be re-ordered into a 2-bounded one. 
The system in Example 7 is (trivially) 4S-1-bounded: none of its (non-empty) 
executions terminate in a stable configuration (the b’s are never received). 


Theorem 6. Let S be an 1(S)-k-bounded system with the stable property, then 
it is k-exhaustive. 
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Table 1. Properties for key examples, where direct. stands for directed, OBI for k-OBI, 
SIBI for k-SIBI, ER for eventual reception property, SP for stable property, exh. for k- 
exhaustive, 4(S)-b for 4(S)-bounded, and syn. for n-synchronisable (for some n € N30). 


# System Ref. | k |direct. opi sipi|safe ER sp |exh.|3S-b 3-b|syn. 
1 (M., Ms, Mı) Fig. 1| 1 yes yes yes|yes yes yes| yes | yes yes| yes 
2 (Ms, Ma, Mz) Ex. 2] 1 yes yes yes| no yes yes| yes | yes yes| yes 
3 (Mp, Ma, Mr) Fig. 2|> 2| no yes no j| no no noj no | yes yes| no 
4 (Mp, Ma) Fig. 3ļany| yes yes yes|yes yes no j| no | yes no| no 
5 (Mp, N4) Fig. 3| 2 yes yes yes|yes yes no | yes | yes yes| no 
6 (Mp, Mq, Mr, Ms) Fig. 4| 2 no yes yesļ|yes yes no | yes | yes yes| no 
7 (M:s, Mr, Mp) Ex. 7 |any| yes yes yes| no no nof no | yes yes] yes 
8 (Mp, Ma) Ex.9| 1 yes yes yes|yes yes yes| yes | yes yes| no 


4.3 Synchronisable Communicating Session Automata 


In this section, we study the relationship between synchronisability [9] and k- 
exhaustivity via existential boundedness. Informally, communicating automata 
are synchronisable if each of their executions can be scheduled in such a way 
that it consists of sequences of “exchange phases”, where each phase consists of 
a bounded number of send actions, followed by a sequence of receive actions. 
The original definition of k-synchronisable systems |9, Definition 1] is based on 
communicating automata with mailbox semantics, i.e., each automaton has one 
input queue. Here, we adapt the definition so that it matches our point-to-point 
semantics. We write A; for An (C x {!} x X), and A? for An (C x {?} x X). 


Definition 17 (Synchronisability). A valid execution ¢ = ¢1:-+dn is a k- 
exchange if and only if: (1) V1 <i <n: pi € Af: A? a |di| < 2k; and 
(2)YpqeC: V1 <i<n: Tq (i) + Tia (i) = Vi <j <n: Toq(03) =e. 

We write A*||, for the set of executions that are k-exchanges and say that 
an execution @ is k-synchronisable if [d]<- ^n A* |+ Ø. A system S is k- 
synchronisable if each execution in {b | 4s: sos} is k-synchronisable. 


Condition (1) says that execution ¢ should be a sequence of an arbitrary 
number of send-receive phases, where each phase consists of at most 2k actions. 
Condition (2) says that if a message is not received in the phase in which it is 
sent, then it cannot be received in ¢. Observe that the bound & is on the number 
of actions (over possibly different channels) in a phase rather than the number 
of pending messages in a given channel. 


Example 9. The system below (left) is 1-Mc and 4(S)-1-bounded, but it is not 
k-synchronisable for any k. The subsequences of send-receive actions in the <- 
equivalent executions below are highlighted (right). 


Mp : pq!a qp?c pq!b qp?d = pda- ople: eu econ d pata palb-ap? i- pa? 
P E A ġı = pq!a-qp!c-qp?c-qp!d-pq?a-pq!b-qp?d-pq?b 
Ma: qp!c qp!d pq?a pq?b 2 = pq!a - qp!c - qp!d - qp?c-pq?a - pq!b - qp? d - pq? b 
>O—>0—>0—>0—>0 SS ol 


Execution ¢, is 1-bounded for so, but it is not a k-exchange since, e.g., a is 
received outside of the phase where it is sent. In ¢2, message d is received outside 
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Table 2. Experimental evaluation. |P| is the number of participants, k is the bound, 
|RTS| is the number of transitions in the reduced TS;(S) (see Appendix A), direct. 
stands for directed, Time is the time taken to check all the properties shown in this 
table, and GMC is yes if the system is generalised multiparty compatible [40]. 


Example | IP| | k | |RTS| | direct. | k-opt | k-crpr | k-mc | Time | cmc 
Client-Server-Logger 3 i 11 yes yes yes yes 0.04s no 
4 Player game! 40] 4 1 20 no yes yes yes 0.05s | yes 
Bargain [40] 3 1 8 yes yes yes yes | 0.03s | yes 
Filter collaboration [69] 2 1 10 yes yes yes yes 0.03s | yes 
Alternating bit! [60] 2 1 8 yes yes yes yes 0.04s no 
TPMContract v2" [26] 2 1 14 yes yes yes yes | 0.04s | yes 
Sanitary agency! [61] 4 1 34 yes yes yes yes 0.07s | yes 
Logistic! [54] 4 1 26 yes yes yes yes | 0.05s | yes 
Cloud system v4 [25] 4 2 16 no yes yes yes | 0.04s | yes 
Commit protocol [9] 4 1 12 yes yes yes yes | 0.03s | yes 
Elevator' [9] 5 1 72 no yes no yes | 0.14s no 
Elevator-dashed' [9] 5 1 80 no yes no yes 0.16s no 
Elevator-directed! [9] 3 1 41 yes yes yes yes | 0.07s | yes 
Dev system [59] 4 1 20 yes yes yes yes | 0.05s no 
Fibonacci [48] 2 1 6 yes yes yes yes | 0.03s | yes 
Sap-Negot. [48,53 2 1 18 yes yes yes yes 0.04s yes 
sH [48] 3 1 30 yes yes yes yes | 0.06s | yes 
Travel agency [48, 65] 3 1 21 yes yes yes yes 0.05s yes 
HTTP [30, 48] 2 1 48 yes yes yes yes | 0.07s | yes 
SMTP [31, 48] 2 1 108 yes yes yes yes | 0.08s | yes 
gen_ server (buggy) [68] 3 1 56 no no yes no 0.03s no 
gen_ server (fixed) [68] 3 1 45 no yes yes yes | 0.03s | yes 
double buffering [45] 3 2 16 yes yes yes yes | 0.01s no 


of its sending phase. In the terminology of [9], this system is not k-synchronisable 
because there is a “receive-send dependency” between the exchange of message 
c and b, i.e., p must receive c before it sends b. Hence, there is no k-exchange 
that is -equivalent to ¢, and ¢3. 


Theorem 7. (1) If S is k-synchronisable, then it is 4-k-bounded. (2) If S is k- 


synchronisable and has the eventual reception property, then it is k-exhaustive. 


Figure 5 and Table 1 summarise the results of § 4 wrt. k-OBI and IBI CSA. 
We note that any finite-state system is k-exhaustive (and 4(S)-k-bounded) for 
sufficiently large k, while this does not hold for synchronisability, see Example 9. 


5 Experimental Evaluation 


We have implemented our theory in a tool [34] which takes two inputs: (7) a 
system of communicating automata and (ii) a bound MAX. The tool iteratively 
checks whether the system validates the premises of Theorem 1, until it succeeds 
or reaches k = MAX. We note that the k-OBI and IBI conditions are required for 
our soundness result (Theorem 1), but are orthogonal for checking k-Mc. Each 
condition is checked on a reduced bounded transition system, called RTS;,(S). 
Each verification procedure for these conditions is implemented in Haskell using 
a simple (depth-first-search based) reachability check on the paths of RTS;,(S). 
We give an (optimal) partial order reduction algorithm to construct RTS; (S) 
in Appendix A and show that it preserves our properties. 
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We have tested our tool on 20 examples taken from the literature, which are 
reported in Table 2. The table shows that the tool terminates virtually instanta- 
neously on all examples. The table suggests that many systems are indeed k-MC 
and most can be easily adapted to validate bound independence. The last col- 
umn refers to the GMC condition, a form of synchronous multiparty compatibility 
(SMC) introduced in [40]. The examples marked with t have been slightly mod- 
ified to make them CSA that validate k-OBI and IBI. For instance, we take only 
one of the possible interleavings between mixed actions to remove mixed states 
(taking send action before receive action to preserve safety), see Appendix C. 

We have assessed the scalability of our approach with automatically gener- 
ated examples, which we report in Figure 6. Each system considered in these 
benchmarks consists of 2m (directed) CSA for some m > 1 such that S = 
(Mp, )1<i<2m, and each automaton Mp, is of the form (when i is odd): 


Pipi+i!ay Pipi+ilay Pi+1Pi? a1 Pi+1Pi? a1 
Mp: >20 30 om oc 90 oT 90 
PiPi+1!an PiPi+i!lan Pi+i1Pi? an Pi+1Pi? an 
k times k times 


Each Mp, sends k messages to participant pi+1, then receives k messages from 
pi+1. Each message is taken from an alphabet {a7,..., an} (n > 1). Mp, has the 
same structure when 7 is even, but interacts with pi—1 instead. Observe that any 
system constructed in this way is k-Mc for any k > 1, n > 1, and m > 1. The 
shape of these systems allows us to assess how our approach fares in the worst 
case, i.e., large number of paths in RTS;(S). Figure 6 gives the time taken for 
our tool to terminate (y axis) wrt. the number of transitions in RTS;,(S) where 
k is the least natural number for which the system is k-mc. The plot on the left 
in Figure 6 gives the timings when k is increasing (every increment from k=2 to 
k=100) with the other parameters fixed (n=1 and m=5). The middle plot gives 
the timings when m is increasing (every increment from m=1 to m=26) with 
k=10 and n=1. The right-hand side plot gives the timings when n is increasing 
(every increment from n=1 to n=10) with k=2 and m=1. The largest RTS;,(S) 
on which we have tested our tool has 12222 states and 22220 transitions, and 
the verification took under 17 minutes.? Observe that partial order reduction 
mitigates the increasing size of the transition system on which k-MC is checked, 
e.g., these experiments show that parameters k and m have only a linear effect 
on the number of transitions (see horizontal distances between data points). 
However the number of transitions increases exponentially with n (since the 
number of paths in each automaton increases exponentially with n). 


6 Related Work 


Theory of communicating automata Communicating automata were introduced, 
and shown to be Turing powerful, in the 1980s [10] and have since then been 


3 All the benchmarks in this paper were run on an 8-core Intel i7-7700 machine with 
16GB RAM running a 64-bit Linux. 
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Fig. 6. Benchmarks: increasing k (left), increasing m (middle), and increasing n (right). 


studied extensively, namely through their connection with message sequence 
charts (MSC) [46]. Several works achieved decidability results by using bag or 
lossy channels [1, 2,13, 14] or by restricting the topology of the network [37,58]. 


Existentially bounded communicating automata stand out because they pre- 
serve the FIFO semantics of communicating automata, do not restrict the topol- 
ogy of the network, and include infinite state systems. Given a bound k and an 
arbitrary system of (deterministic) communicating automata S, it is generally 
undecidable whether S is existentially k-bounded. However, the question be- 
comes decidable (PSPACE-complete) when S' has the stable property. The stable 
property is itself generally undecidable (it is called deadlock-freedom in [22,36]). 
Hence this class is not directly applicable to the verification of message passing 
programs since its membership is overall undecidable. We have shown that k-OBI, 
IBI, and k-exhaustive CSA systems are (strictly) included in the class of existen- 
tially bounded systems. Hence, our work gives a sound practical procedure to 
check whether CSA are existentially k-bounded. To the best of our knowledge, the 
only tools dedicated to the verification of (unbounded) communicating automata 
are McScM [27| and Chorgram [41]. Bouajjani et al. [9] study a variation of com- 
municating automata with mailbores (one input queue per automaton). They 
introduce the class of synchronisable systems and a procedure to check whether 
a system is k-synchronisable; it relies on executions consisting of k-bounded ex- 
change phases. Given a system and a bound k, it is decidable (PSPACE-complete) 
whether its executions are equivalent to k-synchronous executions. Section 4.3 
states that any k-synchronisable system which satisfies eventual reception is also 
k-exhaustive, see Theorem 7. In contrast to existential boundedness, synchro- 
nisability does not include all finite-state systems. Our characterisation result, 
based on local bound-agnosticity (Theorem 3), is unique to k-exhaustivity. It 
does not apply to existential boundedness nor synchronisability, see, e.g., Exam- 
ple 7. The term “synchronizability” is used by Basu et al. [3,4] to refer to another 
verification procedure for communicating automata with mailboxes. Finkel and 
Lozes [19] have shown that this notion of synchronizability is undecidable. We 
note that a system that is safe with a point-to-point semantics, may not be safe 
with a mailbox semantics (due to independent send actions), and vice-versa. For 
instance, the system in Figure 2 is safe when executed with mailbox semantics. 
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Multiparty compatibility and programming languages The first definition of mul- 
tiparty compatibility appeared in [18, Definition 4.2], inspired by the work in [24], 
to characterise the relationship between global types and communicating au- 
tomata. This definition was later adapted to the setting of communicating timed 
automata in [6]. Lange et al. [40] introduced a generalised version of multiparty 
compatibility (GMC) to support communicating automata that feature mixed or 
non-directed states. Because our results apply to automata without mixed states, 
k-MC is not a strict extension of GMC, and GMC is not a strict extension of k-Mc 
either, as it requires the existence of synchronous executions. In future work, we 
plan to develop an algorithm to synthesise representative choreographies from 
k-MC systems, using the algorithm in [40]. 

The notion of multiparty compatibility is at the core of recent works that 
apply session types techniques to programming languages. Multiparty compat- 
ibility is used in [51] to detect deadlocks in Go programs, and in [31] to study 
the well-formedness of Scribble protocols [65] through the compatibility of their 
projections. These protocols are used to generate various endpoint APIs that im- 
plement a Scribble specification [31,32,48], and to produce runtime monitoring 
tools [47,49,50]. Taylor et al. [68] use multiparty compatibility and choreography 
synthesis [40] to automate the analysis of the gen_server library of Erlang/OTP. 
We can transparently widen the set of safe programs captured by these tools by 
using k-MC instead of synchronous multiparty compatibility (SMc). The k-mMc 
condition corresponds to a much wider instance of the abstract safety invariant 
y for session types defined in [64]. Indeed k-mc includes sMc (see Appendix H) 
and all finite-state systems (for k sufficiently large). 


7 Conclusions 


We have studied CSA via a new condition called k-exhaustivity. The k-exhaustivity 
condition is (i) the basis for a wider notion of multiparty compatibility, k-MC, 
which captures asynchronous interactions and (ii) the first practical, empirically 
validated, sufficient condition for existential k-boundedness. We have shown that 
k-exhaustive systems are fully characterised by local bound-agnosticity (each au- 
tomaton behaves equivalently for any bound greater than or equal to k). This 
is a key requirement for asynchronous message passing programming languages 
where the possibility of having infinitely many orphan messages is undesirable, 
in particular for Go and Rust which provide bounded communication channels. 
For future work, we plan to extend our theory beyond CSA. We believe that it 
is possible to support mixed states and states which do not satisfy IBI, as long as 
their outgoing transitions are independent (i.e., if they commute). Additionally, 
to make k-Mc checking more efficient, we will elaborate heuristics to find optimal 
bounds and off-load the verification of k-Mc to an off-the-shelf model checker. 
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A Partial order reduction for CSA 


In this section, we give a partial order reduction algorithm that allow us to 
mitigate the exponential cost of checking k-MC (wrt. the bound k) by exploiting 
the commutativity of independent actions. 

Next, we define function partition(s) which partitions the transitions enabled 
at s, grouping them by subject and arranging them into a sorted list. 


Definition 18 (Partition). Let S, se RS;(S), and TS (S) = (N, so, A). The 


partition of the enabled transitions at s is partition(s) 2 +++ Ln such that 


1. {| s Ór s} = Uneien Li 

2 NESTE j <n: Li O L; = Ø and li = Bizk E Lj => subj (£i) Fx subj (£j). 
3. VIi<i<n: LCE L; = > subj(l) = subj(l) 
4.Vi<i<j<n:|Li| < |Z; 


Definition 18 specifies (1) that the family of sets {L;}1<i<n is a partition of 
the transitions enabled at s and (2) that the function groups transitions executed 
by the same participant together. The last condition guarantees that the list is 
sorted by increasing order of cardinality, to decrease the state space generated by 
Algorithm 1. Definition 18 is used in Algorithm 1 which generates the transition 
relation A of a reduced transition system (the states are implicit from A). 


Definition 19 (Reduced transition system). The reduced k-bounded tran- 
sition system of S is a labelled transition system RTS;(S) = (N, so, A) which is 
a sub-graph of TSk(S) such that A is obtained from Algorithm 1 and N is the 
smallest set such that so € Ñ and s€ Ñ => J(s1, l, s2) € Â:se {s1, S2}. We 


write s &p s! iff (s, 2,8’) € Â. 


Algorithm 1 is adapted from the persistent-set selective search algorithm 
from [23, Chapter 4], where instead of computing a persistent state for each 
explored state, we use a partition of enabled transitions. Each L; in partition(s) 
can be seen as a persistent set since no transition outside of L; can affect the 
ability of transitions in L; to fire. Storing all enabled transitions in a list that is 
progressively consumed guarantees that no transition is forever deferred, hence 
the cycle proviso [57, Condition C3ii] is satisfied. 

Algorithm 1 starts by initialising the required data structures in Lines 1-3, 
i.e., the set of visited states (visited) and the set of accumulated transitions 
(accum) are initialised to the empty set, while the stack contains only the pair 
Cso, []> consisting of the initial state of T:S;,(S) and the empty list. We overload 
[] so that it denotes the empty list and the empty stack. The algorithm iterates 
on the content of stack until it is empty. Each element of the stack is a pair 
containing a state s and a list of sets of transitions. For each pair <s, EY, if E is 
empty, then we compute a new partition (Line 9). Then, we iterate over the first 
set of transitions in E (we assume head(E) = Ø when E = []), so to generate 
the successors of s according to head(F), see Lines 11-14. In Line 12, we write 
succ(s, £) for the (unique) configuration s’ such that s+, s'. In Line 13, the tail 
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1 visited — Ø // visited states : 
2 accum — g // transitions (snd-dir(S) v k-oBI(S, T)) 
3 stack — [<so, [])] // todo ^ 
4 while stack # [] do Hare (rcv-dir(S) v k-sıB1(S, T) 
5 (s, E> — pop(stack) aa v k-c1s1(S, T)) 
6 if s ¢ visited then a 
7 visited <— visited U {s} . 
a if E = [] then (k-exhaustive(S, T)) 
9 | E <— partition(s) 
10 end 
. oe re ae 1 for 1 < k < MAX do 
i 2 T — RTS;(S) 
13 push(stack, <s’, tail(E)Y) i 
14 accum <— accum u {(s,£,s'} : WAST) then 
d 4 | return S is k-safe on T 
15 en : éna 
16 end 
6 end 
17 end 


7 return failed 


Algorithm 2: k-MC check. 


18 return accum 


Algorithm 1: Computing RTS;(S). 


of the list E is pushed on the stack along with the successors s’. Finally, the 
algorithm returns a new set of transitions (Line 18). 

We adapt the definitions of k-OBI and k-SIBI to reduced transition systems, 
the definition of reduced k-CIBI is similar (see Definition 28). 


Definition 20 (Reduced k-oB1). Posing RTS;(S) = (Ñ, so, Â). System S 

is reduced k-OBI if for all s = (q;w) € N andp € P, ifs Pals, then 

V(qp, pr!b, qp) Eps lL 

Definition 21 (Reduced k-s1Bt). Posing RTS;(S) = (Ñ, so, Â). System S 
“ns 2a 

is reduced k-SIBI if for all s = (q;w) € Ñ and p € P, if s 2x, then 


? ! 
apitb?,) © bys 9eq =e (0 hy vay? By. 


The k-SIBI and k-CIBI properties (used to approximate IBI) can be decided 
on the reduced transition system (Theorem 8). The reduced k-OBI property is 
strictly weaker than the k-OBI property, see Example 10. However, the reduced 
k-OBI property can replace k-OBI in Theorem 1 while preserving safety, see The- 
orem 9. Figure 7 gives an overview of the relationships between the different 
variations of k-OBI, k-IBI, and directedness. The inclusions between IBI, k-CIBI, 
and k-SIBI hold only for (reduced) k-OBI and k-exhaustive systems, see Lemma 1. 


Theorem 8. Let S be reduced k-OB1. S is reduced k-CIBI (resp. k-SIBI) iff S is 
k-CIBI (resp. k-SIBI). 


Lemma 2. Let S be a system, if S is k-OBI, then S is also reduced k-OB1. 
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reduced k-OBI 


Fig. 7. Overview of output and input bounded independence variations. 


Theorem 9. If S is reduced k-OBI, IBI, and k-MC, then it is safe. 


Example 10. The system below is reduced 1-OBI, but not 1-OBI. There is a con- 
figuration in TS,(S) from which M, can fire pr!d but not pq!b. Depending on 
the ordering chosen to sort the list of sets of transitions in partition(_), pq?a 
may always be executed before Mp reaches the violated state in RTS,(S), hence 
hiding the violation of k-OBI in the reduced transition system. 


! 
p: pq!a pq!b prid q: pq?a pq?b S: rpe YL: pr?d 
>0— 0—0 >O- >O >O >O 


rp?c 
This system is k-exhaustive for any k > 1 and (reduced) k-OBI for any k > 2. 


Below we adapt the definitions of safety (Definition 4) and k-exhaustivity 
(Definition 8) to reduced transition systems. 


Definition 22 (Reduced k-safety). Posing RTS;(S) = (Ñ, so, A). System S 
is reduced k-safe if the following conditions hold for all s = (q;w)€N, 
1. Vpq eC, if Wpq =a: w, then s —p* Bia 


qp?a 


2. YpEP, if q is a receiving state, then s —p* k forqeP andae X. 


Definition 23 (Reduced k-exhaustivity). Posing RTS;(S) = (Ñ, so, Â). 
System S is reduced k-exhaustive if for all s = (q; w) € N and pEP, if q is a 


sending state, then Y(qp, £, q6) € dp : IQ E A* : s oe and p ¢ ¢. 


Next, we state that checking k-safety (resp. k-exhaustivity) is equivalent to 
checking reduced k-safety (resp. k-exhaustivity), which implies that checking k- 
MC can be done on RTS;,(S) instead of TS;,(.9), the former being generally much 
smaller than the latter. We note that the reduction requires (reduced) k-OBI and 
k-IBI to hold as they imply that if a transition (qp, £, dp) is enabled at s = (q; w), 
then we have that (i) all send actions outgoing from local state qp are enabled at 
s (and they will stay enabled until one is fired) or (ii) exactly one receive action 
is enabled from q (and it will stay enabled until it is fired). 


Theorem 10. Let S be reduced k-oB1 and reduced k-1B1. (1) S is reduced k-safe 
iff S is k-safe. (2) S is reduced k-exhaustive iff S is k-exhaustive. 


Algorithm 2 checks whether a system S is k-MC for some k < MAX, where 
MAX is a user-provided constant. At each iteration, it constructs the RTS;,(S) of 
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the input system S. If k is a sufficient bound to make a sound decision (function 
f(S,7)), then it tests for k-safety, otherwise proceeds to the next iteration with 
k+1. Function f(S,T) checks whether the premises of Theorem 9 hold, i.e., if 
S is not send directed, written snd-dir( S), then it checks for k-OBI; S is not 
receive directed, written rcv-dir(S), then it checks for S-SIBI or k-CIBI; then 
checks whether k-exhaustivity holds (all conditions are checked on RT'S;,(S)). 

The equivalence relation defined below relates executions which only differ 
by re-ordering of independent actions, it is used in several results below. 


Definition 24 (Projected equivalence). Let o, Y € A*, we define: d=w if 
Vp e P: T ($) = m, (Y). 


Finally, we state the optimality of Algorithm 1: it never explores two execu- 
tions which are =-equivalent more than once. Our notion of optimality is slightly 
different from that of [70] since Algorithm 1 does not use sleep sets. 


Lemma 3. Let S be a system such that RTS;(S) = (N, S0, Â), for all ¢ and ¢’ 


such that so sa and so an we have that: ¢=¢' = o=¢"'. 


B Overview of the proofs of Theorems 1 and 9 


The properties k-OBI and IBI, and k-exhaustivity together guarantee that any 
choice made by an automaton is not constrained nor influenced by the channel 
bounds. The proof that k-Mc guarantees safety for such systems crucially relies 
on this. The independence of choice wrt. the channel bounds for these CSA allows 
us to construct sets of executions that include all possible individual choices. We 
characterise this form of closure with the definition below, which is crucial for 
the further developments of this section. 


Definition 25 (k-Closed). Given a system S, Ù © A*, and s e RS,(S), we 
say that W is k-closed for s, if the following two conditions hold: 


1. Woe Y :Is' € RS,(S): 5 Sy 8! 
2. Vbo-pqia-di E Y s.t. s LAN (q; w) and (dp, £, Gp) € Op there is bo: $2- £: 3 € 
W with 2-63 E A* and p € do. 


In other words, W is k-closed for s if (1) all executions in W, starting from s, 
lead to a configuration in RS;,(S) and (2) whenever an automaton p fires a send 
action in an execution in WY, then all possible choices that p can make are also 
represented in W. 


Example 11. Consider the 1-Mc system (Mp, Mq) below. 


pala wid 4 a pq?a 
P:© © CO 3 1° OO FO © © 


pq!b 
qp?c qp!c 
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The sets {e} and {qp!c, qp!d, €} are both 1-closed for so = (0, 0; €, €). Instead, the 
set {qp!c, €} is not 1-closed for so since there is a branching in participant q that 
is not represented. 


Lemma 4 follows from the facts that (i) S is (reduced) k-OBI and (ii) S is 
k-exhaustive, i.e., all send actions are eventually enabled within the k-bounded 
executions. 


Lemma 4. Let S be reduced k-OBI and k-exhaustive. For all s e RSk(S), if 
s 22%, and Y = {bd | s ee. mia. Ap € >}, then Y # Ø is k-closed for s. 


Note that if pq!a is the only action enabled at s, then W = {e}. In general, 
we do not have e € Y, as shown in the example below. 


Example 12. Consider the 1-Mc system (Mp, Mq) below. 


P: $4 pda pq!b qd: 4 pq?a pq?b 
O O A O) 


Pose s = (1,0; a,€), we have that the set {¢ | s goe Ap ¢ ġ} = {pq?a} is 
1-closed for s. Indeed, for the action pq!b to be fired in a 1-bounded execution, 
message a must be consumed first. 


Lemma 5 below states that if there is a k-closed set of executions for a 
configuration s, we can construct another k-closed set for any successor of s. 


Lemma 5. Let S be a k-IBI system, s,s’ € RS;(S) and © C A* such that 


W is k-closed for s, s 25 s’, and = u th, where 


Ê, = {6 | pE V A subj(l) ¢ p} and Êz = {p1 -Q2 | dr -l-d2€W A subj(l) ¢ Qi} 
Then the following holds: 


1. The set Ê is k-closed for s' 
2. For all E W, there is pe W such that either: 


— y e Êi, y = ġ, subj(0) € y, and there are t,t’ € RS;,(S) such that 


oy t, s! a t, and t Sp t, ando- L=£L- 4; or 


-— pet, there is t € RS;(S) such that s B t, s i t, and p= L-4. 
3. =Ø < V= Ø. 


Figure 8 (left and middle) illustrates the construction of the executions in Ê. 
The crucial part of the proof is to show that W is indeed k-closed, this is done by 
case analysis on the structure of an arbitrary execution in Ê. The assumption 
that S is a k-IBI system is key here: we can rely on the fact that if £ is a receive 
action, then it is the unique receive action that subj(¢) can execute from s. 

Next, Lemma 6 states that given the existence of a k-closed set of executions, 
one can find an alternative but equivalent path to a common configuration. We 
show the result below by induction on n, using Lemma 5. 
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s 4 s oil í 51 —} s2 a Sn 
pe ol E a| s| 
aoe do) p=d¢i-de Y 

t——>t b= yateae. ||| n > tn 


Fig. 8. Illustrations for Lemma 5 and Lemma 6. 


Lemma 6. Let S be a reduced k-OBI and k-IBI system, then for all s1,...,5n E 
RS;(S), such that sı A 82°°*Spn—1 aoe Sn (with n > 1). If there is Ø + 
W c A* such that ¥ is k-closed for sı, then there is ġı € Y and Y, dn E€ A* such 


that sı Bi ty es tn and Sn Pis tn, for some tı,tn € RSk(S) with Y| < n 
and pı- Y =li: kn: An. 


Figure 8 (right) illustrates Lemma 6. A key consequence of Lemma 4 and 


Lemma 6 is that if sı € RS;,($), then we have sı LLa ti oe, i.e., tı € RSk(S); 
we use this result to show Lemma 7. 


Lemma 7. Let S be reduced k-OBI, k+1-IBI, and k-exhaustive, then for all s € 
RS(S) and s’ € RSk+1(S) such that s L s', there is t € RSk(S) and 
p, w’ € A*, such that s Hy ts LANE, t, and y= y. 


Lemma 7 states that if S is (reduced) k-OBI, k+1-IBI, and k-exhaustive then 
there is a path from any k+1-reachable configuration to a k-reachable configu- 
ration. The proof is by induction on the length of ¢ using Lemma 4 as a starting 
assumption, then applying Lemma 6 repeatedly. 


Remark 5. The assumption that S is k+1-IBI is required, see Figure 2 for an 
example that is 1-OBI, 1-IBI, and 1-exhaustive but for which the conclusions of 
Lemma 7 do not hold. 


Since the IBI property is undecidable in general, we have introduced the k-CIBI 
and k-SIBI properties as sound approximations of IBI, for k-OBI and k-exhaustive 
systems. We give a brief overview of the proof of Lemma 8 (part of which implies 
Lemma 1). The proof that k-CIBI implies IBI is similar, see Lemma 27 for the 
key result. 


Lemma 8. If S is reduced k-OBI, k-SIBI, and k-exhaustive, then it is k+1-SIBI. 


To show Lemma 8, we show that for any system that is reduced k-OBI, 
k-SIBI, and k-exhaustive, the k+1-IBI property holds, i.e., Lemma 23. The proof 
of Lemma 23 is by induction on the length of an execution from so. Then we 
show the final result by contradiction, using Lemma 7 to find an execution that 
leads to a k-reachable configuration. 
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C Experimental evaluation: modified examples 


The examples marked with | have been slightly modified to make them CSA 
that validate k-OBI and IBI. To remove mixed states, we take only one of the 
possible interleavings between mixed actions (we take the send action before 
receive action to preserve safety). The 4 Player game from [40] has been modified 
so that interleavings of mixed actions are removed (it is the only example of 
Table 2 that is k-CIBI but not k-SIBI). The Logistic example from [54, Figure 
11.4] has been modified so that the Supplier interacts sequentially (instead of 
concurrently) with the Shipper then the Consignee. We have added two dummy 
automata to the Elevator example from [9] which send (resp. receive) messages to 
(resp. from) the Door so that a mixed state can be removed. The Elevator-dashed 
example is a variant of the Elevator which is not synchronisable. These examples 
are not k-1BI (for any k) because the Elevator automaton can reach a state where 
it can consume messages sent by different participants (messages doorClosed 
and openDoor). This situation cannot occur with a mailbox semantics, as in [9], 
since each automaton has only one input queue. The Elevator-directed example 
is another variation where all the automata are directed. 


D Extended related work 


Theory of communicating automata Communicating automata were introduced 
in the 1980s [10] and have since then been studied extensively, namely through 
their connection with message sequence charts (MSC) [46]. We focus on closely 
related works. Several works achieved decidability results by restricting the 
model. For instance, some of these works substitute reliable and ordered channels 
with bag or lossy channels [1,2,13,14]. La Torre et al. [37] restrict the topology of 
the network so that each automaton can only consume messages from one queue 
(but can send messages to all other queues). Peng and Purushothaman [58] show 
that reachability, deadlock detection, and un-boundedness detection are decid- 
able for the class of systems where each pair of automata can only exchange one 
type of message and the topology of the network is a simple cycle. DeYoung and 
Pfenning [89] investigate a relationship between proofs in a fragment of linear 
logic and communicating automata that interact via a pipeline topology. 

Out of these several variations, existentially bounded communicating au- 
tomata stand out because they preserve the FIFO semantics of communicating 
automata, do not restrict the topology of the network, and include systems with 
an infinite state-space. Existential bounds for MSCs first appeared in [104] and 
were later applied to the study of communicating automata through MSCs and 
monadic second order logic in [21,22]. Given a bound k and an arbitrary system of 
(deterministic) communicating automata S, it is generally undecidable whether S 
is existentially k-bounded. However, the question becomes decidable when S' has 
the stable property (a property called deadlock-freedom in [22,36]), the problem 
is PSPACE-complete. The stable property is generally a desirable characteristic, 
but it is generally wndecidable. Hence the bounded class is not directly applica- 
ble to verifying properties of message passing programs since its membership is 
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undecidable overall. We have shown that (i) k-OBI, IBI, and k-exhaustive CSA 
systems are (strictly) included in the class of existentially bounded systems, (ii) 
systems that are existentially bounded (in the sense of [36]) and have the even- 
tual reception property are k-exhaustive; and (iii) systems that are existentially 
stable bounded [22] and have the stable property are k-exhaustive. Hence, our 
work gives a sound practical procedure to check whether CSA are existentially 
bounded. Inspired by the work in [22], Darondeau et al. [85] give decidability 
results for “data-branching” task systems, which are communicating automata 
with internal transitions whose only branching states are those where an inter- 
nal choice takes place. The relationship between communicating automata and 
monadic second order logic was further studied in [77,78]. To the best of our 
knowledge, the only tools dedicated to the verification of (unbounded) commu- 
nicating automata are McScM [27] and Chorgram [41]. Bouajjani et al. [9] study 
a variation of communicating automata with mailboxes (one input queue per au- 
tomaton). They introduce the class of synchronisable systems and a procedure 
to check whether a system is k-synchronisable; it relies on executions consisting 
of k-bounded exchange phases. Given a system and a bound k, it is decidable 
(PSPACE-complete) whether its executions are equivalent to k-synchronous exe- 
cutions. In Section 4.3, we have shown that any k-synchronisable system which 
satisfies eventual reception is also k-exhaustive, see Theorem 7. Our charac- 
terisation result, based on local bound-agnosticity (Theorem 3), is unique to 
k-exhaustivity. It does not apply to existentially boundedness nor synchronis- 
ability, see, e.g., Example 7. The term “synchronizability” has been used by Basu 
et al. [3,4] to refer to another procedure for checking properties of communicating 
automata with mailboxes. Their notion of synchronizability requires that, for a 
given system, its synchronous executions are equivalent to its asynchronous ex- 
ecutions when considering send actions only. Finkel and Lozes [19] have later 
shown that this notion of synchronizability is in fact undecidable. 

In future work, we would like to study whether our results can be adapted 
to automata which communicate via mailboxes. We note that a system that is 
safe with a point-to-point semantics, may not be safe with a mailbox semantics, 
and vice-versa. For instance, the system in Figure 2 is safe when executed with 
mailbox semantics. However, the system below is safe in the point-to-point se- 
mantics, but unsafe with mailbox semantics due to the fact that r may receive 
b before a. To the best of our knowledge, precise relationships and translations 
between mailbox and point-to-point semantics have yet to be studied. 


P: pr!a r: pr?a qr?b r: qr!b 
1 a ge as 


Multiparty compatibility The first definition of multiparty compatibility ap- 
peared in [18, Definition 4.2], inspired by the work in [24], to characterise the 
relationship between global types and communicating automata. This definition 
was later adapted to the setting of communicating timed automata in [6]. Lange 
et al. [40] introduced a generalised version of multiparty compatibility (GMc) 
to support communicating automata that feature mixed or non-directed states. 
Because our results apply to automata without mixed states, k-MC is not a 
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strict extension of GMC, and GMC is not a strict extension of k-MC either, as 
it requires the existence of synchronous executions. We discuss how our results 
may be extended to support communicating automata with mixed states in Sec- 
tion 7. In future work, we will develop an algorithm to synthesise representative 
choreographies from k-MC systems, using the algorithm in [40]. 


Communicating automata and programming languages The notion of multiparty 
compatibility is at the core of recent works that apply session types techniques 
to mainstream programming languages. Ng and Yoshida [51] use the multi- 
party compatibility defined in [40] to detect deadlocks in Go programs. Hu and 
Yoshida [31] study the well-formedness of Scribble protocols [65] through the 
multiparty compatibility of their projections. These protocols are used to gener- 
ate various endpoint APIs implementing a Scribble specification [31, 32,48] and 
to produce runtime monitoring tools [47, 49, 50]. Taylor et al. [68] use multi- 
party compatibility and choreography synthesis [40] to automate the analysis of 
the gen_server library of Erlang/OTP. We believe that we can transparently 
widen the set of safe programs captured by these tools by using k-MC instead of 
synchronous multiparty compatibility. 

Desai et al. |87] propose a communicating automata-based approach to ver- 
ify safety properties of programs written in P [88]. Their approach is based 
on exploring a subset of the (possibly infinite) set of reachable configurations 
by prioritising certain transitions in order to minimise the size of the queues. 
Although the approach may not always terminate, they show that it is sound 
and complete wrt. reachability of error configurations. For instance the system 
in Figure 9, adapted from [87, Section 9], shows a system for which their ap- 
proach does not terminate. Note that this system is not existentially bounded 
and therefore it is not k-Mc for any k. It is however trivially existentially stable 
bounded since no stable configuration is reachable except for the initial one. An 
interesting area of future work is to investigate similar priority-based executions 
of CSA systems in order to check the k-MC property more efficiently. 

D’Osualdo et al. [90] verify safety properties of Erlang programs by infer- 
ring a model which abstracts away from message ordering in mailboxes. Their 
model is based on vector addition systems, for which the reachability problem 
is decidable. It would be interesting to adapt their approach to infer (mail- 
box) communicating automata from Erlang programs. Several approaches rely 
on sequentialization of concurrent programs [73, 79, 80, 91, 99, 112], sometimes 
using bounded executions. For instance, Bouajjani and Emmi [79] verify pro- 
grams that (asynchronously) send tasks to each other by considering executions 
bounded by the number of times a sequence of tasks visits the same process. 
Bakst et al. [73] address the verification of an actor-oriented language (modelled 
on Erlang and Cloud Haskell) using canonical sequentializations, which over- 
approximate a program. They show that properties such as deadlock-freedom 
can be checked efficiently. Their approach requires the program to validate sev- 
eral structural properties, one of which, symmetric non-determinism, is remi- 
niscent of receive directedness as it requires every receive action to only receive 
messages from a single process (or a set of processes running the same code). 


30 Julien Lange and Nobuko Yoshida 


pria pr?a 


r: 
¢ ) pr!b pq!b qd: y pate qrle o gereg ) 


Fig. 9. Example of a non J-bounded system. 


P: 


It would be interesting to relate symmetric non-determinism and directedness 
more precisely, and consider systems of CSA which consist of several instances 
of some automaton. In a similar line of work, von Gleissenthall et al. [115] use a 
form of sequentialization to the verification of distributed systems implemented 
atop a Go library. One of their restrictions is reminiscent of send directedness: 
they allow participants to communicate to several others, however, they require 
this communication to happen sequentially, “one interlocutor at a time”. 


E Additional examples 


E.1 Examples for Section 1 (non-sMc examples) 


The following example, implementing a simple rock-paper-scissors game, is not 
SMC but it is 1-MC. Messages r stands for “rock”, p for “paper”, and s for “scissors”. 
At the end of the play, each participant sends their result to the server. Note 
that this pattern cannot be specified in a synchronous way without giving a clear 
advantage to one of the players. 


pq!r qp?r qp!r pq?r > 
P: pq! p qp? py ps!res q: qp! p pa? py qs!res Si perps 
>” pqs R ap?s gi > aple R pars eo qs?res 


A more involved version of this game is given below. It is not SMC, but it is 
1-mc. Note that s is not directed, however the system is 1-SIBI since s can only 
receive one of the expected messages. 
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E.2 Example for Section 3: k-SIBI vs. k-CIBI conditions 


We illustrate the difference between the k-SIBI and k-CIBI properties with the 
system below. It is adapted from the running example of [40] where we have 
removed mixed states (choosing one interleaving for each outgoing transition). 
We refer to it as the 4 Player game in Table 2. 


O cd? busy 
cd! busy ca!msg 
ee F a Misk > 
S o ad? free 
ac?cwin Š cb!blose 


This system is k-IBI for all k (and thus IBI): it is never the case that Mp (resp. 
M) can choose between consuming bwin or blose (resp. cwin or close). It is not 
k-SIBI (for any k) because of the cyclic nature of the protocol (both choices are 
available at each iteration). However, this system is k-cIBI because, Ma need to 
receive acknowledgements from both M, and M, before starting a new iteration 
of the game; hence there is a dependency between, e.g., ab?bwin and cb! blose. 


E.3 Example for Section 3.2: Local bound-agnosticity 


We illustrate the reason for using projections which preserve e-transitions, i.e., 
Ta ee k(S)), to characterise k-exhaustive systems, instead of projections which 
determinise the automata, cf. [40]. Consider the system S below. 


sg: srig srly p: | psta T: 
staf erty 
ps?a ps!a 
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The traditional projections (7,(T'S%(S))) and projections (r5(TS+(8))) for 
k € {1,2} are given below (up to (weak) bisimulation). 


4 
r: 
T (TS (5)) = T (TS2(5)) = |ps!a s(TS1( 
ps!a 

Ò ps!a 
sla 

né(TS9(S ee 

ps!a ps!a 


Observe that we have m (TS1(S)) ~m, (TS2(8)), but not 
m,(T5'1(9)) ~ 1, (TS'2(S)) 


Indeed, the system above is not 1-MC, but is 2-MC. 


E.4 Examples for Section 4: j-bounded vs. synchronisable systems 


Example 13. (Mp, Mq) below is safe, but not 4(S)-k-bounded, nor k-exhaustive, 
for any k. 
pq!a  qp?c qp!c pq?a 


pq!b = qp?d qp!d = pq?b 


For instance, execution ¢ below is max{m,n}-bounded. Hence, for any finite k, 
we can generate an execution that is not existentially (stable) k-bounded. 


$ = pqia---pq!a-pq!b-qp!c---qp!c:qp!d-pq?a---pq?a-pq?b-qp?c:--qp?c-qp?d 
Eh cca es L 


n times m times n times m times 


Note that ¢ leads to a stable configuration (all sent messages are received). 


Example 14. The (non-IB1) system in Figure 2 is not k-synchronisable for any 
k, due to executions consisting of the left branch of M, and the right branch of 
M, which are not synchronisable. 


Example 15. The system (Mp, Ma) in Figure 3 is not k-synchronisable for any k. 
The system (Mp, Nj) is not k-synchronisable for any k since the second emission 
of message b re: be received in the exchange from which it is sent. Instead, 
the system (Mp, Nq) in Figure 3 is 3-synchronisable since each of its executions 
can be rescheduled so to consists of the following 3-exchange: 


pq!a-pqla-qp!b-pq?a-pq?a-qp?b. 
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E.5 Example for Sections 6: mailbox communicating automata 


Consider the system (Mp, Mz, Mq) below, with a mailbox semantics, i.e., par- 
ticipant r has one input queue to which both participants p and q can send 
messages. 


4 % 
p: ol Eo 76 q: dal 

| ?a rla j 

Oo O 
If this system executes with bound k < 3, one participant (either p or q) will be 
prevented to send at least one message. This namely implies that the send action 
of participant may become disabled after being enabled. This is problematic for 
the current partial order reduction algorithm and for the notion of k-closed sets 
used to prove our main results. 


E.6 Example for Section A: (reduced) k-OBI 


The example below is reduced k-OBI for k > 2, but not k-OBI for any k > 1. 
TS,1(S) includes a state where the queue pq contains one message a and Mp 
is back and its initial state. At this point, pr!b is fireable, but pq!a is not. In 
RTSə(2), there is only one state from which p fires its send actions, both of 
which are enabled, hence the system is 2-OBI. 


pqia . pqa 


CJP qs 


pr?b 
$0 a= 


p: 


E.7 Example for Section A: ordered list 


We illustrate the motivation to sort the list generated by partition(_), see Def- 
inition 18, with the system below. 


p:© = G: (0) oO 
pqla crix ( ) erly 


If we were to build the RTS;,(S) of this system without sorting the list returned 
by partition(so). We may obtain partition(so) = {sr!z,sr!y}-{pq!a}, which pro- 
duces 4 transitions (and 5 states). Instead, if the list is sorted by ascending cardi- 
nality, we have partition(so) = {pq!a}-{sr!a,sr!y}, which gives us an RTS; (S) 
with 3 transitions (and 4 states). 


Remark 6. Note that even though sorting sets of transitions by cardinality gives 
better performance in general, it does guarantee to find the smallest RTS;(S). 
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F Proofs for Section 2 (preliminaries) 


Proposition 1. (1) If S is send directed, then S is k-oBt for all k e Nso. (2) If 
S is receive directed, then S is IBI (and k-IBI for all k € No). 


Proof. Immediate since each directed (CSA) automaton has access to at most 
one channel from each state. O 


Lemma 9. Let S be a system and ¢ € A*. If so cae then @ is a valid execution. 


Proof. By induction on the length of ¢. The result follows trivially for ¢ = 
e. Assume it holds for ¢ and let us show that is also holds for ¢-¢. Assume 
chan(€) = pq. By induction hypothesis, for each prefix of ¢, we have that 
T? (Y) is a prefix of q}, (Y) for any channel sr e C. Hence, for each prefix w of 
$- l we have that 12,(w) is a prefix of q} (Y) for any channel sr 4 pq € C. If 
l = pq!a, the result still holds since 71, (w) is longer or equal. The interesting 
case is when l = pq?a. Pose Tq (O) = Tq lO) -w (there is such w by induction 
hypothesis). Assume by contradiction that ¢-pq?a is not a valid word. Then, 
there is no w’ € X* such that Tq () = Ti (9 * Pq? a) = Toal -pq?a)-w’. which 
implies that either w = b- w” or w = e (b # a). This contradicts the fact that 


a 
So UA s +1*,,, since the channel pq in s is either empty or starts with b. O 


Lemma 10. Let S be a system. If so oy 8,8 2, t, and s $, ¥ such that =g, 
then (1)t=tť and (2) po- $= po- g. 


Proof. Item (1) follows from the fact that the automata are deterministic hence, 
they all terminate in the same state, and the queues are consumed uniformly in 
both executions. Item (2) follows from the fact that both executions are valid, 
by Lemma 9. O 


G Proofs for Section 3 (k-Mc) 


Theorem 2. The problems of checking the k-OBI, k-IBI, k-SIBI, k-safety, and 
k-exhaustivity properties are all decidable and PSPACE-complete (with k € No 
given in unary). The problem of checking the k-CIBI property is decidable. 


Proof. We first observe that decidability follows straightforwardly since for any 
finite k, both RS;(S) and —, are finite. We follow the proof of [8, Theorem 
6.3]. Let n be the maximum of {|Q,| | p € P}, then there are at most n|P| local 
states in S. 

(k-exhaustivity) We check whether S' is not k-exhaustive, i.e., for each sending 
state qp and send action from qp, we check whether there is a reachable config- 
uration from which this send action cannot be fired. Hence, we need to search 
RS;(S), which has an exponential number of states (wrt. k). Following [8, The- 
orem 6.3], each configuration s € RS;(S) may be encoded in space 


|P|logn + |C|k log |X] 
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We also need one bit to remember whether we are looking for qp or whether 
we are looking for the matching action. We need to store at most |P|n|C|||* 
configurations, hence the problem can be decided in polynomial space when k is 
given in unary. 

Next, we show that the problem is PSPACE-hard. From [22, Proposition 5.5], 
we know that checking existentially stable k-boundedness for a system with the 
stable property is PSPACE-complete. By Theorem 5, this problem can be reduced 
to checking whether the system is k-exhaustive, which implies that checking k- 
exhaustivity must be PSPACE-hard. 

(k-OBI) For each sending state qp, we check whether there is a reachable config- 
uration from which not all send actions can be fired, and thus we reason similarly 
to the k-exhaustivity case. Next, we show that checking k-OBI is PSPACE-hard. 
For this we adapt the construction from [9, Theorem 3] which reduces the prob- 
lem of checking if the product of a set of finite state automata has an empty 
language to checking 1-synchronisability. We use the same construction as theirs 
(which is 1-OBI) but instead of adding states and transitions to ensure that the 
system breaks 1-synchronisability when each automata is in a final state, we add 
states and transitions that violate 1-OBI (using a construction like the one in 
Example 10). 

(k-IBI) For each non-directed receiving state qp, we check whether there is a 
reachable configuration from which more than one receive action can be fired, 
and thus we reason similarly as for k-exhaustivity. Showing that k-IBI is PSPACE- 
hard is similar to the k-OBI case. 

(k-SIBI) There are two components of this property, one is equivalent to k-IBI, 
the other requires to guarantee that no matching send action is fired from an 
already enabled receive state. Hence, for each non-directed receiving state qp, we 
check whether there is a reachable configuration from which one receive action 
of p is enabled, followed by a send action that matches another receive. We can 
proceed as in the case for k-exhaustivity with additional space to remember 
whether we are looking for the receiving state or for a matching send action. 
Showing that k-SIBI PSPACE-hard is similar to the k-OBI case. 

(k-safety) For eventual reception, we proceed as in k-SIBI for each receiving 
state and element of the alphabet (check if such a configuration is reachable, 
then we search for a matching receive). For progress, we proceed as in k-SIBI for 
each receiving state qp (check if such a configuration is reachable, then we search 
for a move by p). Showing that checking k-safety PSPACE-hard is similar to the 
k-OBI case. O 


Lemma 11. Let S s.t. se RSk(S) and YW C A* such that W is k-closed for s, 
then W is k+1-closed for s. 
Proof. The result follows from Definition 25, since >,G— 41. O 


Lemma 4. Let S be reduced k-OBI and k-exhaustive. For all s e RSk(S), if 
s 22, and U = fọ | s i, Ap € >}, then VW # Ø is k-closed for s. 
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Proof. The non-emptiness of W follows easily from the assumption that S' is 
k-exhaustive (Definition 8). We have to show the following two conditions hold: 
(1) V@eW: ds’ € RS;,(S) : 5 L, s’, which follows trivially from the definition 
of Y. 


(2) For all ¢9-sr!b-¢, E€ W such that s 2o, (q; w) and for all (qs, £, q4) € ôs there 


is bo -€-¢2 E€ Y. For this part, take gg: sr!b -ġı € Y such that s LARE (q; w) 


(with s # p by definition of Y). By definition of Y, we have s’ = (q; w) € RS (S). 
Since S is k-exhaustive, for each (qs, st!c,q}) € ds there is w s.t. we obtain 
the following situation (where each arrow indicated a k-bounded execution): 


r sr!b 
| with s ¢w 
: stile F 


There are two cases: 


— If p ¢ w, we have that the local state of p in configurations s, s’ and t is 


the same. Hence, by k-exhaustivity: t’ L pio, k with p ¢ Y. Therefore, 
go: w-stic-y’ €W as required. 

— If there is no ¢ such that p ¢ Y, then there must be a dependency chain in w 
that prevents st!c to be fired without p making a move. Since s ¢ Y, we must 
have some st?d in w such that st?d depends on an action by p. The smallest 
such chain is of the form: pt!a-pt?z-st?y. Without loss of generality, pose 
w = ptla-pt?x-st?y (we reason similarly with a longer chain). 

Take $3 s.t. so a, s, since § is reduced k-OBI and k-exhaustive, there are 


t" and yo such that so “2, t", and ġ4 s.t. t “4, t", with 


wo = 3: bo: pt!z- pt? st?y -stle p4 


by Lemma 38 (2). Hence, due to the dependency chain within w, we must 
have: 
po = Y1: pt!z -Y2 pt?z -p3 st?y Y4- st!c- ps 
with s ¢ Y2- Y3 4. There are three cases: 
e Either sr!b is k-enabled immediately after pı, in which case we have a 
contradiction with the fact that S is reduced k-OBI, 
e sr!b is k-enabled strictly after ~ and strictly before st!c, then we have 
a contradiction with the fact that S is reduced k-OBI, or 
e sr!b is not k-enabled along wo, which is also a contradiction with the 
fact that S is reduced k-OBI. O 


Given ¢ = 41 -+ -ln E A*, we write subj(ġ) for the set |; <;<,{subj(Fi)}. 
Lemma 12. Ifs L t and s A t and subj(d) o subj(w) = Ø, then there is 


s’ such that t LA s and t 2 s. 


Verifying Asynchronous Interactions via Communicating Session Automata 37 


Proof. Straightforward: the executions are independent from one another. O 


Lemma 5. Let S be a k-IBI system, s,s’ € RSx(S) and © Cc A* such that 


W is k-closed for s, s a s’, and w= vu w, where 


Ê, = {p | PEW A subj(C) ¢ p} and Wz = {b1- G2 | Q1: L-2 EV a sudj(€) ¢ gi} 
Then the following holds: 


1. The set Ê is k-closed for s' 
2. For ally ew, there is pe W such that either: 


-4 e, y =o, subj (£) ¢ y, and there are t,t’ € RSk(S) such that 


s b, t, s' ae t, and t Sp t, ando- L=£L- 4; or 


— y e Ê, there iste RS;(S) such that s L t, s oy t, and d=e-w. 
32W=D < W=Qq. 


Proof. Let us pose subj(¢) = p. 
(1) We first observe that ¥ validates condition (1) of Definition 25, i.e., Vo € 


Ê : As" © RS;(S): s! p s", by definition of Ê. We then show that Ê validates 
the second condition of k-closure. There are two cases depending on whether the 
execution is in YW or Wo. 


1. Take ¢ = ġo: sr!a:ġı € Êi, then by definition of %, we have p # s and 


p e W. Hence, posing s = (q; w), we have that for all (qs, l, q,) € ôs there 
is do: 1: 0-62 E Y, with subj (l) ¢ b1, since W is k-closed by assumption. 
(a) If p ¢ do, then ġo- ¢ġ1ı- l- 2 € GH, as required. 

(b) If p € ġ2, then there are two cases depending on whether £Z is a send or 
a receive action. 

— If 2 = qp?a, then we must have ¢2 = ¢3-qp?a-¢4 with p € ¢3, 
since S' is k-IBI (only one receive action can be enabled at p). Thus 
Qo s Qı L. Q3 $ pa E D, as required. 

— If £ = pq!a, then we must have ¢2 = $3: pt!b -4 with p ¢ 63. Since 
W is k-closed, we also have ġo ¢ı l’ - 3-4: pqla-¢5 E Y,- 
for some ¢4,¢5 s.t. p ¢ ba. Thus, ¢o-¢1-¢'- 3: ¢4-¢5 € Wo, as re- 
quired. 

2. Take 6 = ġo: sr!a- ġı € Ü. There are two cases: 

(a) If do = ¢2-¢3 and ¢2-f-d3-sria-¢1 € Y, then posing s es, (q; w), 
we have that for all (qs, Z, q4) € 6s there is 2- L- Q3- Qs- l -p4 € © (for 
some ġ4 and ¢5 s.t. s ¢ 5) since W is k-closed by assumption. Thus, 
2° 3° 5 L. oa € Wo, as required. 

(b) If d1 = d2-¢3 and do: sr!a- ġ2-:l-ġ3 E€ W, then p ¢ ġo- srla- de (hence 
p #8) and, posing s ple (q; w), we have that for all (qs, Z, q4) € ds there 
is do: bg: l- b4 E Y (for some ¢4 and ġs s.t. s ¢ dg) since W is k-closed 
by assumption. 

— if p ¢ da, then do-dg-l’- 4 € KH, as required. 
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— if p E du, there are two cases depending on whether £ is a receive or 
send action. 
e if £ is a receive action, then we must have $4 = ¢;5-¢-¢6 with 
p ¢ os, thus do-d¢g-- 5-6 € Êz, as required, since S is k-IBI 
(only one receive action can be enabled at p) 
e if l is a send action, pose £ = pq!c, then we must have $4 = 
5 pt!b- de with p ¢ ds. Since W is k-closed, we must also have 
po:l- ds- po:pqa!lc-p7 € W (for some $7 and ġo s.t. p ¢ ġo). 
Thus, do: l- 5-9-7 € Wo, as required. 


(2) Take y € Ê, by definition of Ê, there are two cases: 


1. If pe, then p = de Y and since subj(0) ¢ Y, s >, tS; t' and s Ss, t' 
by Lemma 12. In picture, we have 


eg 
v=4] [yao 


t—> Y 


Finally, we have ġ-L=£. 4 since subj (£) € 4. 
2. If Y E Wo, then there is 0) = Po -L- Qı E Y s.t. yY = Po -Qı and subj (£) ¢ Qo. 


Thus, by Lemma 12 we have s a. t and s a s! os. t, i.e., 
£ 
S —> s! 
$o 
| do 
£ 
Qı 
t 


Finally, we have œo -€-61 =£- po- 1 since subj (£l) ¢ do. 


(3) The (=) direction is trivial from the definition of Ê. Let us show that 
Y = 0 = W = by contradiction. Assume Y = Ø and W # Ø. This implies 
that for all p € W: ped. Pose ọ = ġo- l- 1, with p ¢ do, L# £ 

— If £ is a receive action, then @ is also a receive action (p ¢ do), thus £ # é 


contradicts the assumptions that s = and p ¢ ġo. 
— If £ is a send action, then £ is also a send action (p ¢ do), thus it is a 
contradiction with the fact that W is k-closed for s. O 


Lemma 6. Let S be a reduced k-OBI and k-IBI system, then for all s1,...,Sn € 
RS;,(S), such that sı LA S2 Sn—1 i Sn (with n > 1). If there is Ø # 
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WC A* such that Y is k-closed for sı, then there is ġı € Y and Y, bn E A* such 


that sı Pis ty us tn and Sn en, tn, for some tı,tn E€ RS,(S) with Y| < n 
and pı- Y= Lli: kn: An. 


Proof. By replicated application of Lemma 5 (parts 1 and 3), for alll <i < n, 
there is Ø # V; S A* such that W; is k-closed for s;. In addition, by Lemma 5 
(part 2), for all 1 < i < n, and for all $;41 E€ Wi4i, there is ġ; € W; such that 
either 

saia a tipi, and s; bp ti, with ti = ti+1, Or 


Pi+1 Qi A 
= Si+1 >k tigi, Si x ti, and ti >p ti+1- 


The rest of the proof is by induction on n. 
(Base case) If n = 2, then the result follows directly by instantiating Lemma 5 
with s; = s, Sn = s’, and 4&4 = @, in particular, we have w = 44 or w = e (hence 
Ib] < n). 
(Inductive case) Assume the result holds for n = i (i.e., ġ1 -Y = 41- li-1 Qi) 
and let us show that it holds for n = i+1. We have the following situation: 


liee ki- li 
De at es Se > 8; ——>» Si+1 
| |» [éna 
p up" 
ti ----------9 > ti —— ti+1 


By Lemma 5, we have either 


1. ti = ti+1, Y = €, and 6 -€= li bis. 
2. Y = li, Qi = Qi+1ı and ĝi: li = 4i: Qi. 


We have to show that 
icp yp =b Gi li Piy 


— Assume case (1) holds. 


-L; 1°; by induction hypothesis 
= li-e- liz: P -li o" posing ġdi = Q' li- o” with subj (ti) ¢ 9 
= by oe -lii x$ L; $ om $ o" since subj (£i) ¢ om 
= by <= -lii ç L; č Qi+1 by Lemma 5 


Finally, since %’ = € in this case, we have ¢,-y- uy’ = ¢1-w, hence 
pyri Lye Ley RE Qisa 


as required. 
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— Assume case (2) holds. 


pey =i hiig by induction hypothesis 
Or Ply = bitki- bi bi by Lemma 10 
= liseo ea ligi by case (2) 

= ye hp ae Qizi by case (2) 

di Wey = hy + bi li: bigs yy = b; 


In both cases, we have |W-w"| < i since |W| < i by induction hypothesis and 
Q =e (resp. Y’ = ¢;) by case (1) (resp. case (2)). o 


Lemma 7. Let S be reduced k-OBI, k+1-IBI, and k-exhaustive, then for all s € 
RS;,(S) and s’ € RSk+1(S) such that s ENN s', there is t € RSk(S) and 
p, w’ € A*, such that s kat t, s' EAO t, and p=- y. 


Proof. We show the result by induction on the length of @. 
(Base case) If ¢ = e, then the result holds trivially with s = s =t=te 
RS;,(S). 
(Inductive case) Assume that for all s e RS;,(S) and s’ € RS;,41(S) such that 
s 441 8’, with || < n, there is te RS;,(S) and y, Y’ € A*, such that s p t, 
of it and bao 

Take s € RS;,(S) and s' € RS,41(S) such that s p41 8’, with d = l1- -bn 
(i.e., || = n), assuming that 


lı L2 Ln , 
5 = 51 —>k+1 $2 —>k+1 t k+l Sn4+1 = § 
There are two cases depending on the direction of 44. 


1. If 4&4 = pq?a, then s2 € RS,(S) since sı € RS,(S). Thus, by induction 
hypothesis, there is t € RS;,(S) and Y, Y € A*, such that so ”., t and 
s! Sig t and w= fz- - -Lln Y. Hence, 4 -Y = 4 b2- ln Y, as required 
since sı Aa S2. 

2. If 4&4 = pq!a, then by Lemma 4, the set Yı = {y | s Lome Ap ¢ o} is 


non-empty and WY is k-closed for s. 
Therefore, by Lemma 11, % is k+1-closed for s and by Lemma 5, the set 


Wo = {hb | PENA subj(l1) E proio: G2 | G1-61-G2 EM a subj(l1) € di} 


is k+1-closed for s2 and Yı = Yz = {ġ | p E Wi a subj(41) € o} by definition 
of Wy. 

Hence, since S is k+1-BI by assumption, we can apply Lemma 6 and obtain 
that there is Y € W and $, WPn+1 E A* such that 


ape eo / Wn41 
82 —>r41 t2 41 tn41 and s = Sn41 ——>p tn+1 
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for some tz, tn+1 € RSk+1(S) with lĝl <n and 


ypo- Q = bo- bn n41 
We have te ps tn41, with \d’| < n, with t2 E RS;,(S), thus by induction 


hypothesis, there is t €e RS;(S) such that tn+1 d t, s2 ws t and 
w= ¢'-w’, as pictured below (where red parts are in —; and the rest in 


—>k+1). 
B h oes A ; 
S = S1 > 52 > Sn41=S§ 
p = A je : [ee 
g / 
ti - > t2 a > tn41 
Hi 7 
i lay)! 
Po 
ee 


We have to show that 
dr br Pah ln Ung h 


By Lemma 6, 


pı -Q =by-- Lanyi 
Prefixing each execution with 41, we have: 


Lipi Q =li- bo ba Ynyr 


and since subj (l1) ¢ Yı, we have: 


Ypi: blic p =L: bala Ynyr 
Adding w’ on each side of the equation, we obtain: 
aby Leo G = hy baby Yngi 
By induction hypothesis, we have 4% = ġ' - 7)’. Hence, we obtain 
pı dahbi la Uns Ve 


as required. O 


Lemma 13. If S is reduced k-OBI, k+1-1B1, and k-exhaustive, then for all s € 
RSx41(9), there is te RSp(S) such that s >% jt. 


Proof. Direct consequence of Lemma 7. O 
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Lemma 14. If S is reduced k-OBI, (k+1)-IBI, and k-exhaustive, then it is re- 
duced (k+1)-OBI and (k+1)-exhaustive. 


Proof. ((k+1)-oB1) By contradiction, assume S' is reduced k-oBI but not re- 
duced (k+1)-OBI. Then, there must be s = (q; w) € RTSx41(S)\RTS;,(S) such 


tle 


that there is p € P, s Laer (dp, pr!b, @,) € dp, and —(s 2S p). By Lemma 13 


and Lemma 38 (2), there is t € RTS;(S) such that s P t'. There are two 
cases: 


lb ! ! 
1. If pt?x ¢ yı, then we have t/ => p41, and =(t/ = p41), hence —(t/ 25). 


— Ift = we have a contradiction with the fact that S is reduced k-OBI. 

— If =’ = then both queues are full at t’. Since S is k-exhaustive, 

both actions are enabled along a k-bounded execution from t’. However, 

one action must be enabled before the other, in any execution, contra- 
dicting the fact that S is reduced k-OBI. 

2. If pt?xz e qı, t rs and t an: Then the queue pt must still be 


holding k messages at t’. Hence, —(t’ = and we reason as above to reach 
a contradiction with the fact that S is reduced k-oBI. 


((k+1)-exhaustive) By contradiction, assume S' is k-exhaustive, but not (k+1)- 
exhaustive. Then, there must be s = (q; w) € RSk+1\RSk(S) such that there is 
pé€P, with q a sending state and the following does not hold: 


! 1 k c * $ pq!a d 
V(qp; pala, Gp) E dp s Jo = A : 8 k+1 >k+1 and p ¢ Q (1) 


By Lemma 13, there is s’ € RSp(S) such that s Pi s. 


1. Ifp¢¢, then s 2", (by k-MC and s' € RS;(S)), ie., a contradiction. 
2. If pe d. There are two cases: 
(a) 6 = ¢1-pqla- de with p ¢ ġı, hence pq!a can be fired from s, a contra- 
diction with the assumption that (1) above does not hold. 
(b) d= d1- pt!b- de with p ¢ ġı and a # b. This implies that 


la : P 
s Bi a since S' is BI 


which contradicts the assumption that (1) does not hold. o 


Lemma 15. If S is (reduced) k-OBI, IBI, and k-exhaustive, then for all s € 
RS(S) such that so 2, s, there iste RS;(S) and p, ¢' € A*, such that so ka t, 
s b.t, and y=ġ ġ. 


Proof. We first note that in this case + and = coincide since we only consider 
executions starting from so, see Lemma 9; thus we show that w= ¢-¢’. 

From Lemma 14, we know that S is n-exhaustive (for any n > k). Hence, 
we obtain the result by repeated applications of Lemma 7 (with s = so) using 
the fact that < is a congruence. Oo 
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Lemma 16. If S is k-OBI, IBI, and k-Mc, then it is k+1-OBI and (k+1)-Mc. 


Proof. By Lemma 17 and Lemma 2. O 


Lemma 17. If S is reduced k-OBI, IBI, and k-MC then it is k+1-OBI and (k+1)- 
MC. 


Proof. Assume by contradiction, that S is k-MC, but not (k+1)-safe. Then, there 
must be s = (q; w) € RSk+1\RSk(S) such that at least one of the following 
conditions does not hold. 


z 
1. For all pq € C, if wpq = a-w’, then s >¥ 1 PLT ui 

> 
2. For all p € P, if q@ is a receiving state, then s >% 2T p41 for some q € P 


and a€ X. 


+1 


Note that S is (k+1)-OBI and k+1-exhaustive by Lemma 14. 


By Lemma 13, there is s’ € RS;(S) such that s Bes s. 
(1) Assume that Item 1 above does not hold, i.e., we have Wpq = a: w’ for some 
pq € C, but each path ¢ from s does not contain pq?a. Observe that for the 
first occurrence of pq?b in ¢, we must have a = b (since wp, = a: w’), but we 
cannot have pq?a € ¢ by contradiction hypothesis. This implies that we have 
Wpq = a-w- w” in s’, and since S is k-Mc and s’ € RS,(S), we must have 


?a 2a eee 
s >,* 74. Thus, we have s i s >,* 74, a contradiction. 


(2) Assume that Item 2 above does not hold, i.e., there is p € P such that 
qp is a receiving state but for each path ¢ from s, ¢ does not allow p to fire 
a (receive) action. Hence, by contradiction hypothesis we have qp?a ¢ @ for 
any a and q. Hence p is still in state qq in configuration s’. Since S is k-Mc and 


s' € RSk(S), we must have s’ >;,* =. Thus, we have s ea s >g” =. 
a contradiction. O 
Theorem 1. If S is k-OBI, IBI, and k-MC, then it is safe. 

Proof. By Theorem 9 and Lemma 2. O 
Theorem 9. If S is reduced k-OBI, IBI, and k-MC, then it is safe. 

Proof. Direct consequence of Lemma 17. O 


Lemma 18. Let S be (reduced) k-OBI and IBI. If S is safe and k-exhaustive, 
then it is k-MC. 


Proof. We show that S' is k-safe. By contradiction, assume there is S' safe, k- 
exhaustive, and not k-safe. Since S is not k-safe, then there is s = (q;w) € 
RS;,(S) such that at least one of the two cases below hold. 
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T 
1. Wpg = a-w and there is no execution ¢ such that s AE By safety, 


? 
there is y and n > k such that s w gf PA os By Lemma 7, we can 


extend % - pq?a such that there is an equivalent k-bounded execution, which 
contradicts this case. 

2. qp is a receiving state and there is no execution ¢ such that s i Ss 
then we reason similarly as above using Lemma 7. Oo 


Lemma 19. If S is k-SIBI, then it is k-IBI. 
Proof. Straightforward. O 
Lemma 20. If S is k-CIBI, then it is k-IBI. 
Proof. Straightforward. O 


Lemma 21. Ifs} ¢ <g l, then there is a subsequence y of such that 


—stl<l' andw =e, or 
— yp = hbn M1), slh, Vi<i<n: st & K~ lizi, SEL Xe. 


Proof. By induction on the length of ¢. 

(Base case) If s+ ¢ <, ¢’, then we must have s+ ¢ < l by definition. 
(Inductive case) Assume the result holds for ¢ and let us show it holds for 
L" .@. There are two cases: 


—Ifst l <4 l’ and we have the result by induction hypothesis, since any 
subsequence of ¢ is a subsequence of ¢” - o. 

— Ifs L < l" and st l” <4 l. Then by induction hypothesis there is a 
subsequence £;---€, of @ such that £” < 41 < ---, < l hence we have the 
result with the subsequence @” -l1 +++ ln- oO 


Lemma 22. Let S be a system, s € RS(S), and ¢ = dı- l- p2- l -h3 such that 


So Ż, ands H £ <4, l, with so 21, s. Then for all valid y such that w = ¢, there 
are pı, Y2, Y3, and te RS(S) such that 


1. % = Wl p2: l 43, 
2. Touw lV) = Teui (P21) 
3. Tounj Vi l P) = Tounj: l b2), and 


4. tH L <y, l’, with so Hrg, 
Proof. By Lemma 21, there is a subsequence £1 -ln of @2 such that 
sH l= bo < h and Vl <i<n:st 4i < lipi and s H bn < l = bnga 


Take the shortest such subsequence (smallest n), we show that the relative order 
between each pair of actions must be preserved. By definition, for each s | £; < 
Lj+1 (0 < j < n + 1) to hold there are two cases: 
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— If subj(£;) = subj(€;41), then it is not possible to swap 4; and j+ while 
preserving ~<-equivalence. 

— If subj(€;) # subj(€j41), then chan(l;) = chan(é;41), and there are two 
cases depending on whether the queue chan(€;) is empty when £; is fired. 


e If the queue is empty, then we cannot swap l; and £;,, without invali- 
dating the execution since they are matching send and receive actions. 

e Ifthe queue is not empty, since Wehan(2;) = € (at s) there must be another 
send action 4 with | < j such that chan(€,) = chan(€;+1). Therefore, we 
have s+ & < €;41, and thus ¢,---€-+-0j41---n is a (striclty) shorter 


subsequence of ¢2 which is dependency chain, a contradiction. 


Since each pair of actions cannot be swapped without invalidating the sequence 
or break <-equivalence, we must conclude that any w has the required form and 
that the t + £ <y, l property holds since %2 must contain the subsequence 
by hy. O 


Lemma 23. If S is reduced k-OBI, k-SIBI and k-exhaustive, then it is k+1-IBI. 
Proof. From Lemma 24 and 25. O 
Lemma 24. If S is k-SIBI, then it is k-CIBI. 


Proof. By contradiction, take s = (q; w) € RS,(S) such that the condition for 
k-CIBI do not hold while the condition for k-SIBI does. Then, we must have 


? 1b 
s Zh, s and s "Ps, such that —(s H gp?a <q sp!b). However, the 


$ i lb y s 
existence of an execution s’ See, contradicts Definition 11. O 
Lemma 25. If S is reduced k-OBI, k-CIBI and k-exhaustive, then it is k+1-IBI. 


Proof. Take s € RS,(S) and s’ € R9p41(9) such that s p41 s’. We show 
by induction on the length of ¢ that s’ cae t for some t € RS, (S'), and 
there is w such that s Yi t with Yy=¢-¢', and for all prefix ¢ of ¢’, if 


1 


s' La s” = (q; w), s” validates the following condition, for all p € P: 


u qp?a A £ $ _ _ 9 
s — pyr t == WE A:s >p A subj(l) =p => l= qp?a 


(Base case) Assume ¢ = £. If L = pq?a, then s’ € RS;(S), and we have result 
since S' is k-CIBI (via Lemma 20), with s = t. If € = pq!a, then since S is 


1 
k-exhaustive, we have s H t S, t', with p ¢ Y. Hence, we have s’ SARA ts 
We show that for all prefix Yo of y, if s’ Sh t”, then t” validates the k+1-IBI 
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condition. We have the following situation: 


L= pqla 


Assume by contradiction that t” ag and t” Be ia: If these two tran- 
sitions are also enabled at s”, we have a contradiction with the fact that S is 
k-CIBI. Hence, we have that either participant r has made a move through £, 
hence p = r, an additional receive action in r becomes enabled because sr = pq, 
or tr = pq (i.e., the queue sr (resp. tr) is empty in s and s”). 


— If p =r, then if we pose Wo = Y, we have t EUO and t SATION which 


contradicts the fact that S' is k-CIBI. , 
tq?c 


— If sr = pq (i.e., sr?b = pq?a), then we have s” ——>, v for some v. Since S 


T 
is k-exhaustive, we also have v Hi p e with p ¢ 2. By k-CIBI, we have 


that for all such %2, we have s” | tq?c <y, pq!a, which is a contradiction 
with Lemma 22 since the two actions are swapped in k+1. 
— The case tr = pq is symmetric to the one above. 


(Inductive case) Assume the result holds for ¢ and let us show it holds for 
@-£. Assume that we have the following situation, where the dashed edges need 
to be shown to exist. 


8 $ s! £ 5 sl! 
Y s| 

a 

t eee E S Se > t” 


with s,t' € RS;(S) and s’, s” € RSk+1( S). 

By induction hypothesis, all configurations between s’ and t’ and between s’ 
and s” are k+1-1B1 and k+1-OBI (by Lemma 17), hence, we can use a similar 
reasoning to that of Lemma 5 to show that either s” Lonii t” (with ¢’ Lae t”) 


or s” Żsp41 Y (with t = t”). 


— If s” Lae t” (with t La t”), then we proceed as in the base case with 
s:=t' and s := t”. 

— If s” KAO t (with t = t”), then we only have to show that all configu- 
rations on ¢’ validate the condition. Since there is an equivalent k-bounded 
execution, any violation would contradict the hypothesis that S is k-cıB1. O 
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Lemma 8. If S is reduced k-OBI, k-SIBI, and k-exhaustive, then it is k+1-SIBI. 


Proof. We note that since S is reduced k-OBI, k-SIBI and k-exhaustive, we have 
that S is k+1-IBI by Lemma 23. We show this result by contradiction, using 
Lemma 23 and Lemma 7. Assume, by contradiction, that there is s € RS;,(S) 


and s’ = (q; w) € RSpk+1( S) such that s CATT s' with pEP s.t. 


qp?a sp?b 
1. 3 ——>k+1, and 3 —>k+1, Or 
1 apa ! i x sp!b 
2. 3 ——>pk+1, and A(qp, Sp?b, q6) E ĝp:S#qASs >k k+ 


(1) follows from Lemma 23. 


(2) Assume there is s’ such that s’ =, 2, and A(qp, sp?b, q6) edo: S # 


qas Seg is s”. By Lemma 7, there is t e RS,(S') such that s ee t 


and s” arr t with »=¢-¢-sp!b- 6". Hence both qp?a and sp!b appear in %4 
which contradicts the fact that S' is k-SIBI. Oo 


Lemma 26. If S is k-OBI, k-SIBI and k-exhaustive, then it is IBI. 


Proof. Direct consequence of Lemma 8, Lemma 14, and Lemma 2. O 


Lemma 27. If S is reduced k-OBI, k-CIBI, and k-exhaustive, then it is k+1-CIBI. 


Proof. We first note that since S is reduced k-OBI, k-CIBI and k-exhaustive, we 
have that S is k+1-1B1 by Lemma 25. 

We show this result by contradiction, using Lemma 25 and Lemma 7. Assume, 
by contradiction, that there is s e RS;,(S') and s’ = (q; w) € RSx41(S) such that 
s La s' with pE P, (dp, sp?b,q,) € dp and s # q s.t. 

, qp?a , sp?b 
1. s x41, and ss — 441, or 


qp?a o sp!b 
2. 8) 441 8", 8” 441 k+ t, and —(s’ F qp?a <g sp!b) 


1) is a contradiction with Lemma 25. 


( 
(2) By Lemma 7, there is t € RS;(S) such that s ”,, and t LA t with 
w=-qp?a:¢’-sp!b- 6”. There are two cases: 


1. If = y1-splb-y2-gp?a- v3, with 7,(¢1-sp!b-y2) = m,(¢) and T, (Y1) = 
7,(@-qp?a-¢’), then we have a contradiction with the assumption that S is 
k-CIBI since p can receive b and a after having executed 7, (1 -sp!b- 2), 
i.e., both messages are in the queue. 

2. If Y = pı :qp?a p2- sp!b- vs, with m (v1) = T ($) and 7, (1 -qp?a- v2) = 
7™,(@:qp?a-¢’), then we must have §+ qp?a <y, sp!b (assuming so 4, 5) 
since S is k-CIBI. By Lemma 22, we must also have s’ + qp?a <y sp!b, a 
contradiction. O 
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Lemma 28. If S is k-OBI, k-CIBI and k-exhaustive, then it is IBI. 
Proof. By Lemma 14, Lemma 27, and Lemma 2. O 
Lemma 1. If S is k-OBI, k-CIBI (resp. k-SIBI) and k-ezhaustive, then it is IBI. 


Proof. By Lemma 28 and Lemma 26. O 


G.1 Proofs for Section 3.2 (local-bound agnosticity) 


Lemma 29. If S is (reduced) k-OBI, IBI, and k-exhaustive, then 
Vp e P: m5(TS:.(S)) ~ m5 (TSx41(9))- 


Proof. Pose TS;(S) = (N, so, A) and TS%41(S) = (N’, so, A’). Recall that we 
have A S A’ and N CN’. =(n5(TSk(S)) ~ 15(TSx+1(S))) for some p € P. 


Then, there are s € NAN’ and £ (with subj (£) = p) such that s Pa Girs 
with 7,(d) = € and 


vo'e A: Vs" e RS,(S): 8 es s" AT (p) =€ = -(s" £5) (2) 


By Lemma 7, there is there is t € RS,(S) and w, Y’ € A*, such that s ay t, 


s” ony t, W=- Ly. Hence, we have s Sp with m, (Y) = L-4” for some y” 
with contradicts (2). o 


Lemma 30. If S is such that 3k € Noo: Yp € P : m(TSx(S)) ~ n5(TSk+1(8)), 


then S is k-exhaustive. 


Proof. Assume by contradiction that there is some k € N>o such that 
Vp e P: 13(TS%(S)) © n5(TSk+1(5)) (3) 


and S is not k-exhaustive. 

Pose TSk(S) = (N, so, A) and TS;41(S) = (N’, so, A’). Recall that we have 
AcA’andNCN’. 

Since S is not k-exhaustive, there are s = (q; w) € RS;(S) and pq € C such 


that s 22% and 
Yg e A* : Ys’ € RS: (S) : 5 Soy sapo => (g 2245 (4) 


Since s € RS%(S) and —(s pua, we must have |wpq| = k. Hence, s Pia kel 
and therefore 
(s, pq!a, s”) € A’ for some s” € N’ (5) 


By (8) and the fact that A C A’ and N C N’, we must have 
T(N, s, A)) ~ m5 ((N", 8, A’)) 


which is clearly a contradiction with (4) and (5). oO 
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Corollary 1. Let S be k-OBI and IBI s.t. Vp € P : mo(TS%(S)) ~ 75 (TSx+1(S)), 
then S is locally bound-agnostic for k. 


Proof. Take S such that 3k : Vp € P : ng(TSk(S)) ~75(TSx+41(S)). Then, by 
Lemma 30, S is k-exhaustive. Since S is k-OBI and (k+1)-IBI by assumption, 
S is n-exhaustive for any n > k, by Lemma 14. Hence, by Lemma 29, we have 
Vpe P: m5 (TSn(S)) ~ 75 (TSn4i(S)) (for any n > k). Oo 


Theorem 3. Let S be a system. 


(1) If 3k e Noo: Ype P : mE (TS%(S)) ~ mE (TSk41(S)), then S is k-exhaustive. 
(2) If S is k-oB1, IBI, and k-exhaustive, then Vp € P :n5(TSp(S)) m5 (TSx+41(S))- 


Proof. Part (1) follows from Lemma 30 and Part (2) follows from Lemma 29. O 


H Synchronous multiparty compatibility 


We adapt the definition of (synchronous) multiparty compatibility from [6, Def- 
inition 4] to our setting (this definition is adapted from [18, Definition 4.2]). 

We write sync(¢) iff d = €, or ọ = pq!a-pq?a-@ and sync(¢’). We say that 
s is stable iff s = (q; €) and define RSo(S) as follows: 


RS0(S) $ {s | so 21 s a sync(d)} u {s | so 222%, s a sync(d)} 


Definition 26 (TSo(S)). The synchronous transition system of S, written TSo(S), 
is the labelled transition system (N, so, A) such that N = RSo(S), so is the initial 
configuration of S, AS NxAxN is the transition relation such that 


t la ?a 
— (s,pqla, s”) € A iffis’e N : s 5] s 2, s"; and 


‘ pqia pq?a 
— (s',pq?a,s")E A iffiseN:s > 8! >1 8". 


We write sı ae Sn41 Uf $ = l1- ln and V1 <i<n: (si, li, $i41) E€ A. 


Definition 27 (Synchronous multiparty compatibility [6]). S is synchronous 
multiparty compatible (SMC) if, letting TSo(S) = (N, so, A), for all pe P, for 
all q € Qp, and for all stable (q;w) € N, if q = q, then 


1. if q is a sending state, then V(q, £, q’) € dp : Ib: sync(d) As a amp) =£ 
2. if dp is a receiving state, then 3(q, £,q') € dp : AP: sync(d) As iy AT, ($) =L. 


Lemma 31. Let S be directed and SMC. For all stable s € RSo(S), if s 22% 
andW = {| s am apg a sync(¢)}, then Y + Ø is 1-closed for s. 

Proof. The proof is an instance of the proof of Lemma 4, noting that (1) SMC 
guarantees the existence of a synchronous execution that includes all send actions 
enabled at a given sending state and (2) directedness implies 1-OBI. Oo 
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Lemma 32. Let S be directed and smc, then for all s e RS\(S) such that 


So 2 s, there are ġ', Y € A* and stable te RSo(S) such that s kae t, So H t, 
p-¢' =, and sync(w). 


Proof. Since S' is directed and SMC, we can use Lemma 31 and Lemma 6, to 
show that the result holds following the same reasoning as in Lemma 7. O 


Theorem 11. If S is SMC then it is 1-MC. 


Proof. We show that S is 1-exhaustive, then show that it is 1-safe. 


(exhaustivity) We have to show that for all s = (q; w) € RS1(S) and pe P, if 


q is a sending state, then V(dp, £, qp) E dp: Jp E A”: 8 Sy and p ¢ ¢. 


By contradiction take s = (q; w) € RS1(S) 


s pie, and =(s >Ï me. and p ¢ ¢) (6) 


By Lemma 32, there is stable t € RSo(S) such that s 2a t. If p ¢ ¢, then pq!a 
is still enabled in t and by SMC there is a (synchronous) execution from t that 
includes pq!a, a contradiction with (6). If p € ¢, then pq!a can be fired from a 
state along ¢, a contradiction with (6). 

(safety) We have to show that for all s = (q; w) € RS (S): 


1. Eventual reception: Vpq E C, if wpg = a- w’, then s >;* ey. This 
follows trivially from Lemma 32 since there is a 1-bounded execution from 
s to a stable configuration. 

2. Progress: Vp € P, if q is a receiving state, then s >;,* =. for qE P 
and a € X. By Lemma 32, there is a 1-bounded execution ¢ from s to a 
stable t € RSo(S). If the expected receive action occurs in ¢, then we have 
the required result. If the expected receive action does not occur in ¢, then 
SMC guarantees that it will occur in a synchronous execution from t. O 


I Proofs for Section A (partial order reduction) 


Below, we say that a configuration s € RSp(S) is k-OBI (resp. k-IBI) if it validates 
the corresponding condition, e.g., if p can fire one send action from s, then all 
its send actions are enabled. We say that S (resp. s) is k-BI when it is k-OBI and 
k-IBI. 


Definition 28. We say that S is reduced k-chained input bound independent 
(reduced k-CIBI) if for all s = (q; w) € RSk(S) and for all pe P, ifs qp?a a 
then V(qp, sp?b, ap) E op: 8 #4 (s = k) a (Yo SA® 3 es k => 
st qp?a <¢g sp!b). 


Lemma 2. Let S be a system, if S is k-OBI, then S is also reduced k-OBI. 
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Proof. By contradiction. Notice that Definition 20 requires the same property 
than Definition 6 at the configuration level. Take s € N s.t. s violates the (re- 
duced) k-OBI condition, then s € RS;,(S), and s also violates k-OBI. O 


Lemma 33. Let S be a system, if S is k-SIBI, then S is also reduced k-SIBI. 


Proof. By contradiction. Take s € Ñ s.t. it violates the (reduced) k-SIBI condi- 
tion. Note that we s e RS;,(S). There are two cases: 


— If there is p such that two receive actions are enabled for p, then they are 
also enabled at s, a contradiction. 

— If there is p such that one receive action is enabled for p, and there is >;- 
path s.t. a conflicting send action is fired, then we have the situation in 
TS;(S), hence we have a contradiction. o 


Lemma 34. Let S be a system, if S is k-CIBI, then S is also reduced k-CIBI. 


Proof. By contradiction. Take s € Ñ s.t. it violates the (reduced) k-CIBI condi- 
tion. Note that we s e RS;,(S). There are two cases: 


— If there is p such that two receive actions are enabled for p, then they are 
also enabled at s, a contradiction. 

— If there is p such that one receive action is enabled for p, and there is 2, path 
s.t. a conflicting send action is fired, and there is not dependency chain in ¢, 
then we have the situation in TS;(S), hence we have a contradiction. O 


Lemma 35 states that any transition in a given set L; cannot be disabled by 
a sequence of transitions not in Li. 


Lemma 35. Let S be a system, s e RS,(S) s.t. s is k-BI, and Ly---Ly, = 
partition(s) (with n > 1). For all L; (with 1 < i < n) and for all 6 = 41 -- -£m 


such that V1 <j < m : lj ¢ Li, if s 2 s', then Le L;i = 3' Byg 


Proof. Take s e TS;,(S), Lı--- Ln = partition(s), L; (1 < i < n), and ¢ as 
defined in the statement. Take any @ € L; and assume there is s’ such that 
s L s’. We show the result by induction on the length of ¢ with the additional 
property that subj(¢) ¢ ¢ (note that this implies qp = qj). 


If ¢ = €, then s = s’ and we have the result immediately (s L by Defini- 
tion 18). 

Assume the result holds for ¢ and let us show that it holds for -V with 
l ¢ Li. Assume we have s’ such that s P s' E s". We have to show that 
s" AN knowing that, by induction hypothesis, we have that s’ 5 and qp = q. 
There are two cases: 


— If subj (£) = subj (l), then since s is k-BI, we have s L hence ¢’ € L;, which 
implies that the premises of this lemma do not hold: a contradiction. 
— If subj (£) # subj (l), then we have qp = q, = qp and therefore q; Ay 
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e If l = pq!a. The only possibility for Z to be disabled in s” and enabled 
in s’ is if |w” | > k which is not possible since subj (l) # p. 

e If l = qp?a. The only possibility for £ to be disabled in s” and enabled 
in s’ is if wh, = € which is not possible since subj(¢’) # p. Oo 


Lemma 36. Let S be a system, then for all s e RTS;(S) s.t. s is k-BI and 
LE A, ifs Biip then there is o € A* such that s KARE with subj (£) ¢ d. 


Proof. By assumption that s € RTS;,(S), s is visited by Algorithm 1. 

If partition(s) is invoked on s, the fact that subj (£) ¢ @ follows from Defini- 
tion 18, while the fact that @ is eventually fired follows from the fact that the list 
of sets of transition decreases at each iteration in Algorithm 1 and Lemma 35. 

If partition(s) is not invoked, then we have that E is not empty when s is 
visited. Let ¢ be a the last node visited before s such that partition(t) is invoked. 
Pose Lı---Lm = partition(t) and assume E = L;---Lm (i > 1) when s is 
visited. If there is L; such that Z€ L; (i < j < m), we have the result as above. 
Otherwise, there are two cases 


— If Z is independent from all the actions in L;---L,, then £ will still be 
enabled once the list is entirely processed, and therefore £ will be included 
in the partition resulting from the next invocation of partition(_). 

— If £ depends on some partition Lj, then we have a contradiction: either £ 
is included in L; (it must have been enabled at t) or the list returned by 
partition(t) is not a partition. O 


Lemma 37. Let S be a system. If so Li s a s D t such that s is k-BI, 


subj (£l) ¢ ġ2, chan (£) € d2, and s Lo with subj (£) = subj (l) then s E ga 
t for some s" and t. 


Proof. Assume that E = Lı ---Lm when s is visited by Algorithm 1, then we 


have ¢,¢’ € Lı and s care s” for some s”. When both s’ and s” are visited next, 
we have E = L2---Lm, hence it is easy to show they have the same behaviour 
while E is not empty. Say Sm (resp. s/,,) is the first state reachable from s’ (resp. 
s”) when E is empty. Note that if £ is a receive action, then we must have £ = ¢’ 
since s is k-BI. Thus, the only differences between sm and s, are: 


— the local state of subj (£) 
— the last message of channel chan(£) 


In terms of enabled transition, this means that for all Ê such that subj(¢) 4 


subj(€) and chan(£) 4 chan(é) is enabled at both sm and s/,. Hence, posing 
Li: L} = partition (sm) and Li --- Li = partition(sl,) 


and assuming that the position of the partition of subj (£) is i (with 1 < i < j and 
i < l), it must be the case that all paths of length less than ¿į and not involving 
chan (£) nor subj (£) are the same from both sm and s!„. Instead, any path longer 
than 7 must use an action whose subject is subj (£) at position 7, hence does not 
satisfy the premises of this lemma. o 
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Lemma 38. Let S be a reduced k-BI system such that TSk(S) = (N, so, A), 
RTS;(S) = (N, so, A), and toe NAN. The following holds: 


1. If to EA s, then to ae s, for some s. 
2. If to a s, then there is w and ¢' such that to ee t and s LAR t and 
o:¢' =, for some t. 


Proof. Item (1) follows trivially from Definition 18 and Algorithm 1, since only 
transitions that exist in TS;,(S) are copied in RTS,(S). 

We show Item (2) by induction on the length of ¢. If ¢ = e, then we have 
the result with ¢’ = y= = e. Assume the result holds for ¢ and let us show 
that it holds for ¢-£. We have the following situation, where the dotted arrows 
represent executions in RTS;,(S) and t is in RTS;(S).4 


$ l 
to ———> Ss ——> s 


| i 


Next, we show that there are t’, §, s”, and y’ such that we have: 
with ¢/-y’-€=0-¢'-y" 


We show this by induction on the length of ¢’. If ¢’ = €, then we have s = t and 
s’ = 8. There are two cases: 


— E = |] when t is visited by Algorithm 1. In this case, the algorithm continues 
with E = L1---Lm = partition(s), and by Definition 18 there must be 
1 <i < m such that £e L; (since £ is enabled at t). Since £ is independent 
with all 2; such that 1 < j < i, we have: 


by bid £ £ a A a anl 
s = t= U >” and s= t >p d) = § ——>, 8” 


We have the required result with Y’ = ¢,--+€;_1. 
— E = Li- -- Lm (i > 0) when t is visited by Algorithm 1. Then we have two 
cases: 


4 Note that executions in RTSp(9S) are also in TS;,(S) by Item (1). 
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e There is ¿ < j < m such that l € L; and we reason as in the case where 
== || (but starting at 7 instead of 1). 
o Tf l ¢Ui<jcm Lj, then £ was not enabled when partition(t) was invoked 


(for ¢ a node visited on the path to s). Hence, Z is independent with 


bib 


all actions in J Lj and for all t” such that t ===; t” with 


jem 
Vi < j < m : 4j € Lj, we have t” Lp. Pose Li- Li, = partition(t"), 
then we have that there is 1 < j < n such that £ € Li. Reasoning as 
above, we have 


s=t k kS 
and 
bie bm 85-1 n 
s =t >k sS — 5> knk 
We have the required result with Y’ = 4i- -lm 4i L1 


Now, assuming the inner induction hypothesis holds, let us show the result for 
g’ -'. We have the following situation, where the red parts are what is to be 
shown: 


There are two cases. 


— If subj (£) # subj (l), then the two actions commute from t; and we have the 
result with yw’ = €. 
— If subj (£) = subj (l), then there are two cases: 
e If L = l', then t = s; (by determinism) and we have the result with 
g =e. 
e If l 4 l’, then we must have y = pı: l -Y2 with subj (l) ¢ p2 (since 
w=o-¢'- by (outer) induction hypothesis). Since # and £ have the 
same subject, there is f € RTS;(S) such that to ae es Ê such that Ê L 
and ¢ 4, by k-BI. 
Thus, by Lemma 37, we also have to Y Ê Lp Z, t" for some t". By 
(outer) induction hypothesis, we have w = %1 -V -Y2 =¢-¢'- l and since 
subj (l) ¢ p2, we also have Yı -Yy2=¢:ġ' and Yı -Ll-Y2=¢ġ- p -£L hence 
si = t". Since t” is in RTS;(S), we have the required result with Yy’ = e. 
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Going back to the outer induction, we have to show that 
byl Lao lg" 


In other words, ¢-£ € TS;,(S) can be extended with ¢” so that there is an 
equivalent execution in RTS;(S), i.e., Y -Y - L. By induction hypothesis, we have 
p=: o’, hence we have 

vv L= o y-t 


From the inner induction, we know that ¢’-w’-@€=£-w”, hence, we have 
p-p- pempe" 
and thus we have the required result. O 


Lemma 39. Let S be reduced k-B1, for all s e RS;,(S), there is t e RTS;(S) 


such that s a t. 


Proof. Since s € RS;,(S), there is w such that so Z, s. Since so € RTS;,(S), we 
can apply Lemma 38 and obtain the required result. O 


Lemma 40. If S is reduced k-OBI and reduced k-SIBI, then S' is k-SIBI. 
Proof. By contradiction. Take so “>, s = (q; w) € RS;,(S). 


= pr?a sr?b . A 
If s ——>, sı and s ——>, s2. Then, by Lemma 38, there is t € N s.t. 


So ae t and sı e t and ¢@-pr?a- "=p. Then both pr?a and sr!b must 
appear in w, which contradicts the assumption that S is reduced k-SIBI. 


? : / 1b 
— If s =“, sı and there is (qr, sr?b, q) € ôr S-t. s LAN s’. Then we 


have a contradiction with the assumption that S is reduced k-SIBI, via by 
Lemma 38 as above, with ¢-pr?a-¢’-sp!b- o" =. oO 


Lemma 41. If S is reduced k-OBI and reduced k-CIBI, then S is k-CIBI. 
Proof. By contradiction. Take so cm s =(q;w) € RS;(S). 


5 . 
— Ifs La sı and s EL s2. Then, by Lemma 38, there is t € N s.t. so ka t 


and sı “>, t and @-pr?a-¢” =¢ and w. Clearly, we must have both pr!a 
and sr!b in w. 
e If we have 
Y = dy -prla- Yo -srlb-3-pr2a- wy, or 
Y = 1-srlb-y2-pria-p3-pr?a- wa 
where 1, Y2, and w3 have been chosen appropriately so that the send 


actions are one matched at s, then we have a contradiction with the 
assumption that S is k-CIBI (both messages can be consumed). 
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e Assume we have 


wy =wy,-pria-w2-pr?a-w3-srib-w4 


where 1, Y2, and w3 have been chosen appropriately so that the send 
actions are one matched at s. Since S is reduced k-CIBI, we must have 
-pria- we a 
8 | pr?a <y, sr!b, with § such that so es 5. However, pr!a 
and sr!b appear in ¢, which contradicts the existence of a dependency 
chain between pr?a and sr!b by Lemma 22. 
2 F ! 1b : 

— If s 4, sı and there is (qr, sr?b, qL) € br s.t. s1 C s’ with =(s H 
pr?a <y sr!b). Then, by Lemma 38, there is t € Ñ s.t. so ea t, Sı Ea t, 
and 

o-pr?a-d!-splb-d” = 


There are two cases depending on the structure of v: 
e If sp!b appears before pr?a in w, then we have a contradiction with the 
assumption that S is reduced k-CIBI. 
e If sp!b appears after pr?a, then pose 


w= Y1-pr?a-yo-sp!b- Y3 
Since S is reduced k-CIBI, we must have & | pr?a <y, sp!b assuming ŝ 


is such that so alae 5. By Lemma 22, we have a contradiction with the 
assumption that —(s + pr?a <y sr!b). Oo 


Theorem 12. Let S be reduced k-OBI. S is reduced k-SIBI iff S is k-SIBI. 
Proof. By Lemma 40 and Lemma 33. O 


Lemma 42. Let S be reduced k-BI, if S is k-exhaustive, then S is also reduced 
k-exhaustive. 


Proof. We show that Definition 8 applies to every state s e RTS (S) © TS;,(S). 
By assumption, we have that for every p € P, if q is a sending state, then 
V(dp, £, qp) E Op : I E A* : 5 a and p ¢ ¢. By Lemma 38, there is ¢’ and w 
such that s kam and ġ-L-o'=Ņ. This implies that we have w = yı -L-2 with 
subj (£) ¢ Yı, and s a, the required result. oO 


Lemma 43. Let S be reduced k-BI, if S is reduced k-exhaustive, then S is also 
k-exhaustive. 


Proof. By contradiction, take s e TS;(S) such that the k-exhaustivity property 
does not hold (i.e., there is pq!a that cannot be fired within bound k). By 


Lemma 39, there is te RTS;,(S) and ¢ such that s 2., t. Then either pq!a is in 
@, i.e., we have a contradiction, or p is in the same state in t. By assumption, 


there is w such that t sae k, and by Lemma 38 we also have t Pade.. a 


contradiction. O 
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Theorem 13. Let S be reduced k-BI, S is reduced k-erhaustive iff S is k- 
exhaustive. 


Proof. By Lemma 42 and Lemma 43. O 


Theorem 10. Let S be reduced k-OBI and reduced k-IBI. (1) S is reduced k-safe 
iff S is k-safe. (2) S is reduced k-exhaustive iff S is k-exhaustive. 


Proof. By Theorem 14 and Theorem 13 m 


Lemma 44. Let S be reduced k-BI, if S is k-safe, then S is also reduced k-safe. 


Proof. The proof works similarly to the proof of Lemma 42. We show that Defi- 
nition 4 applies to every state in s e€ RTS(S) C TS;,(S). Each condition follows 
easily by showing the existence of an equivalent execution, by Lemma 38. O 


Lemma 45. Let S be reduced k-BI, if S is reduced k-safe, then S is also k-safe. 


Proof. The proof works similarly to the proof of Lemma 43. By contradiction, 
we assume that there is a state s for which the properties of Definition 4 do not 
hold. Using Lemma 39, we show that there is an execution from s to a state in 
RTS;(S) for which the properties hold by assumption. oO 


Theorem 14. Let S be reduced k-B1, S is reduced k-safe iff S is k-safe. 


Proof. By Lemma 44 and Lemma 45. O 


Lemma 3. Let S be a system such that RTS;(S) = (Ñ, so, Â), for all ọ and ¢' 


such that so a and so as we have that: d= = > o=¢@. 


Proof. We show that ¢ # 6° = > -=(¢=¢@’). Let y be the longest common 
prefix of ¢ and ¢’. Take s such that so ba s. Since ọ 4 ¢’, we must have £ and 
é’ such that s 2 and s Li However, since ¢= ¢’, it must be the case that 
subj(€) A subj(l’); which gives us a contradiction since we have that s +, and 


s L while and ¢’ must be in different sets L; and L,. o 


Theorem 15. Let S be reduced k-OBI. S is reduced k-CIBI iff S is k-CIBI. 
Proof. By Lemma 34 and 41. O 


Theorem 8. Let S be reduced k-OB1. S is reduced k-CIBI (resp. k-SIBI) iff S is 
k-CIBI (resp. k-SIBI). 


Proof. By Theorem 12 and Theorem 15. Oo 
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J Proofs for Section 4 


Lemma 46. Let S be a system. If so =. then @ is k-match-bounded. 
Proof. We first note that ¢ is valid, by Lemma 9. We have to show that for any 
prefix w of ¢, we have 
min |toq(b)|; I™pq(P)1} — tpg) < k 
There are two cases: 


— If tq (W) < |m;,(¢)|, we have the result immediately since 


[7 qY)I — IMpq(¥)| < k 
by hypothesis (and the definition of k-boundedness). 
— If [Tia (h)| > KAO] then the following holds 
[Tga lOl — pa Hl < Ta) Tpl) < k 
by hypothesis, and we have the required result. O 


J.1 Proofs for Section 4.1 (Kuske & Muscholl’s boundedness) 


Lemma 47. If ¢-¢-¢' € A* is a valid k-match-bounded execution such that 
subj(l) ¢ d and ¢-¢' is also valid, then d-¢' is a k-match-bounded execution. 


Proof. We note that we only have to consider the number of messages on the 
channel of £, as the others are unchanged. There are two cases depending on the 
direction of £. 


— If l = pd!a, then the result follows trivially since the number of send actions 
strictly decreases. 
— If l = pq?a, we separate the prefixes of ¢-¢-¢' depending on whether they 
include £ or not. 
1. For each prefix Y of ¢, we have 


by hypothesis. We have to show that 
min{ |T (V), Itpq(d: VI} — tpg) < k 
which follows trivially since |r? (PP) = LAC é-¢')|-1. 
2. For each prefix of Y of ¢’, we ave to show that 
min{|m4(¢-¥)|s lm q(o- $')|} Talt D < k 


By hypothesis (subj(¢) ¢ ¢'), we have KACAJ = 0 and since ¢-¢-¢ is 
valid by assumption, we have |7,,(¢)| > |7q(@)|, hence we are left to 
show that 


k 


< 
w)| < k. We have the result 
| = [ma ($: 4p) -1 O 


[75a (4)l — [Talh Y) 
Similarly, we know that BAC : £)|-|n; gle: 
since |754($)| = |" q(¢°4)| — 1 and Ina (o-¥) 
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Lemma 48. If S is (reduced) k-OBI, IBI, and k-exhaustive system, then it is 
existentially k-bounded. 


Proof. Take s and ¢ such that so 2, s, By Lemma 15, there is t € RSk(S), %' 
and w such that s & t, so “+, t, and $- ¢’ =Y. Note that Y is valid by Lemma 9 
and k-match-bounded by Lemma 46. We show that there is a k-match-bounded 
execution that leads to s by inductively deconstructing ¢’, starting from its 
last element. (Base case) If ¢’ = e, then we have the results immediately by 
Lemma 15, i.e., we have ¢-€=w with y k-match-bounded. 

(Inductive case) Take ¢/ = ¢,-¢. From Lemma 15, there is Yy (k-bounded) 
such that ¢-¢,-€<=w. Since the two executions are <-equivalent, we must have 
w = po:l- pı with subj (£) ¢ yı. Hence, we have the following situation, where 
the dashed execution is due to the fact that subj (£) ¢ yı (i.e., Z is independent 
from %1): 


where Wo: 1 is valid by Lemma 9, and k-match-bounded by Lemma 47. Next, 
we repeat the procedure posing 7 := Wo-y1 and ¢’ := ġı. We note that the 
procedure always terminates since the execution ¢’ strictly decrease at each 
iteration. O 


Lemma 49. If ġo: Qı is k-match-bounded and 
Ypa EC : | pq (¢0)| < [pq (0 - $1)| 
then oo is k-bounded for so. 


Proof. Pick any pq € C. By definition of k-match-bounded, for each prefix w of 
oo: Qı, we have: 


min {|g ()|, [m2 (do « #1) I} — (H) < k 


In particular, for each prefix Yo of ¢o, we have min{|m,,(Vo)|, [mq (¢o - 1) |} — 
[724 (v0) < k. By assumption and the fact that wo is a prefix of ¢9, we have 


In!.,(wo)l < It bq(do)] < In24(do -41)| 


Hence, min{|tq(bo)|, \tpq(Po - $1) I} = |pq(bo)| and |75q (bo) — |mq(vo)] < k, 
as required. oO 
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Lemma 50. If S is 4-k-bounded and has the eventual reception property, then 
S is k-exhaustive. 


Proof. (k-eventual reception) We first show that for all s = (q; w) € RS;,(S), 


! 
if Wpq = a-w, then s >,* *%,. Take ġo such that so a By eventual 
$ı para $2 


reception, we have that s —>——- t, for some ¢, and t. Take ¢2 such that t —> 
and 
Vpq EC : |r5q(¢0  b1)| < | q(do $1 -Pa?a- d2)| 

there is such ¢2 by the eventual reception property. Since S' is existentially 
bounded, there is y such that ~ is k-match-bounded and w = ġo : ¢1- pq? a: ¢2. 

Next, remove all actions in ġo from w as follows. Take the first action in ¢o 
(ie., a send action) and remove it from w as well as its receive counterpart, if 
any. If this action is not received within ġo, then store it in w. Repeat until all 
actions from ¢ 9 have been removed, so to obtain the sequence: q) -Yı which is 
k-match-bounded and valid, so that we have 1) - Y1 =- 1-pq?a- do. 

Pose pı = W2-pq?a- 3 and let us show that p2- pq?a is k-bounded for s, by 
showing that ~-w2-pq?a is k-bounded. We have to show that all prefixes are 
k-bounded. This is trivial for any prefix of y% since s e RS,(S'). For any prefix 


we of Y2 we have to show that 
VpqeC: Ima (h da) = DACE] <k 
Since ý -Dı is k-match-bounded, we have 
Vpq eC: min{|mq(b- b2)|, meq) - We pa?a Ws)|} — malh a)l < k 


By construction, we have Imi (h -w2)| < DAG -p2 - pq?a - p3 )|, hence we have 
the required result. 

(k-exhaustivity) We show the rest by contradiction. Assume there is s € 
RS;,(S) for which the k-exhaustivity condition does not hold. Hence, there must 


> 
be pq € C such that |Wpq| = k > 1. From the result above, we have s >;* neg 


lb ae 
for some a, and therefore we have t See, for any b, a contradiction. o 


Lemma 51. If S is existentially k-bounded and safe, then for any k-match- 
bounded @ such that so mise s, there are ù and ¢' such that so any tands &t 
and w=: g. 

Proof. Take @ k-match-bounded s.t. so $, ș, By safety, there is ¢’ such that 


s © with VpqeC: KAI < ACHAI i.e., we extend ¢ with an execution 
that consumes all messages sent in ¢. 

Since S is existentially bounded, there is w € [¢- ¢']> ^ A*|,. Take prefix wo 
of w such that Jọ” : Vp € P : m (po) = m ($: o”). If yo is k-bounded, we have 
the required result, otherwise, there must be a prefix Yı of wo such that 


lT (%1 )| a GACA] >k 
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However, since Y is k-match-bounded, we have 
min toq(br |, tq} — lt pq(hr)| < k 


and by construction of y+ @-¢', we have [pq (1) < Ima) I, i.e., a contradic- 
tion. O 


Theorem 16. (1) If S is (reduced) k-OB1, IBI, and k-exhaustive, then it is ex- 
istentially k-bounded. (2) If S is existentially k-bounded and has the eventual 
reception property, then it is k-exhaustive. 


Proof. Part (1) follows from Lemma 48 and Part (2) follows from Lemmas 50. O 


Theorem 4. (1) If S is k-OBI, IBI, and k-exhaustive, then it is 4-k-bounded. 
(2) If S is 4-k-bounded and satisfies eventual reception, then it is k-exhaustive. 


Proof. By Theorem 16. O 


J.2 Proofs for Section 4.2 (stable boundedness) 


Lemma 52. Let S be a system and ¢ € A* such that so See (q;€), then ġ 
is k-match-bounded if and only if ọ is k-bounded for so. 


Proof. The (<=) direction follows from Lemma 46. The (=) direction follows 
from the fact that for any prefix Y of ¢, we have 


[Toa (V)I < Tga (4)! 


since all messages sent along ¢ are received (all channels in s are empty). Hence 
we have ITa l) — KACI] < k by Definition 15, i.e., ọ is k-bounded. m 


Theorem 5. (1) If S is existentially k-bounded, then it is existentially stable 
k-bounded. (2) If S is existentially stable k-bounded and has the stable property, 
then it is existentially k-bounded. 


Proof. We show both statements by contradiction. 


1. Assume by contradiction that S is existentially k-bounded, but not existen- 


tially stable k-bounded. Then, there must be ¢ such that so 2g (q;€) 
where ¢ has no = equivalent execution which is k-bounded for so. However, 
since S is existentially k-bounded, there is Y =¢ such that w is k-match- 
bounded. Since so L (q; €), by Lemma 52, w is k-bounded, a contradiction. 
2. Assume by contradiction that S' is existentially stable k-bounded and has 
the stable property, but not existentially k-bounded. Then there is ¢ such 
that so Pg= (q; w) (with q not empty) such that has no = equivalent 
execution which is k-match-bounded for sọ. Since S' has the stable property, 
we have s “> and there is w<=o-¢' such that w is k-bounded (since S is 3S- 
k-bounded). Then we reason as for the proof of Lemma 48 and progressively 
deconstruct ¢’ to show that there is a subsequence of wy that is k-match- 
bounded and <-equivalent to ¢, a contradiction. o 
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Lemma 53. Let S be 4-k-bounded, then for all stable configurations s and s' 
in RS(S) such that s = s', there is =o such that y is k-bounded (for s). 


Proof. Since s is stable and S is 4-k-bounded, there is ¢9 k-bounded for so such 
that so a s, and we have o k-bounded such that w <= do: ¢. We show that we 
inductively remove the actions of ¢9 from ¢ while preserving its k-boundedness. 
Since s and s’ are stable, we have ġo = pq!a-¢,-pq?a- 4, with Tog 1) =e 
Hence, we can remove the first respective occurrence of pq!a and pq?a from w 
without affecting its k-boundedness: (i) the new execution is still valid since we 
remove a send and its receive and (ii) the bound is preserved since we remove a 
send and a receive simultaneously. We repeat the procedure until all the elements 
of ¢9 have been removed and we obtain the required result. O 


Lemma 54. Let S be an existentially stable k-bounded system with the stable 
property, then for alls € RSpk(S), there is t stable such that s >,*t. 
Proof. First we observe that for any stable t, we have t € RSp(S) since S is 


JS-k-bounded, by Lemma 52. Assume to is stable and to Le s. We show the 
result by induction on the length of ¢. 
If ¢ = £, then we have the result since to is stable and there is stable t’ such 


that to Sy s —*t’ since S has the stable property. Finally, by Lemma 53, we 
have s >, *t’. 

Assume the result holds for ¢ and let us show that it holds for ¢-@. Pose 
to a s Sg s'. By induction hypothesis, we have that s Sa t for some t stable 
and ¢’ € A*. We have to show that s’ >;*t’ with t’ stable. There are two cases: 


— If subj(¢) ¢ ¢’, then we have s’ 2, t andt ie t’, and we only have to show 


that s’ sy t, which follows trivially from the fact that subj (£) ¢ ¢’ (i.e., 
there is no other send on the channel in g’). 
— If subj (£) € ¢’, then there are two sub-cases depending on the direction of £. 
e If ¢ is a receive action, then the result follows trivially. 
e If lisa send action. Assume w.]o.g. that ¢’ = $1 L- h with subj (£) € $1, 


1 1 


then we have s’ a t = t, and we have the required result. 


We have shown that either there is stable t such that t t’, hence we are back 
to the base case, or t = t’, in which case the result follows trivially. O 


Theorem 6. Let S be an 4(S)-k-bounded system with the stable property, then 
it is k-exhaustive. 


Proof. We first note that by Theorem 5 we have that S is both 4S-k-bounded 
and 4-k-bounded since it has the stable property. Assume by contradiction, that 


S is not k-exhaustive. Then, there is s such that so eg s = (q; w) and p such 
that (qp, pq!a, q,) € dp and =(s >,* =. By Lemma 54, there is stable t such 
that s & k t. Then either p € y and therefore pq!a can be fired in Yy and we have 


! 
a contradiction, or p ¢ w and t PET . i.e., another contradiction. o 
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J.3 Proofs for Section 4.3 (synchronisability) 


Lemma 55. Let ¢ be a valid execution. If ¢ is a k-exchange then it is a k- 
match-bounded execution. 


Proof. Since ¢ is a k-exchange, it must be of the form 
$ = p1 Y1 Pn: Vn where V1 <i<n: goic Af agic AF A loil <k 
We must show that for every prefix db of ¢ and every pq € C, the following holds: 
min |oq(9)I; I pq(O)1} — ltpq(O)| < k 


We first observe that, for all 1 <i <n, if d = ġı -Y1 ++- Qi is k-match-bounded, 
then so is ġ- y; (since p; € Až), hence we only show the result for the former. 
Take pq € C and pose @ = ġı -Y1 <- Qi (with 1 <i < n). There are two cases: 


—Ifforall <j <i: Tq (bj) = Tia (105) then all messages sent on channel pq 
are received within each exchange. 
e Case ITa (9) < Imoa (O): We have 


AOE [Tp (%1 -++3)| 
= [Tga (1 ++» Pi) + [Ta lA) 
= Tq (®)| + KACHI 


Hence, [mi ()| — |m2,(4)| = Imq(¢:)| < k, and we have the required 
result. E 

e Case lTi (O)| > EACE Then, there is i < m < n such that Tq (bm) x 
Toq(Pm) and we have 


= [Ta (V1 Ym) 
> |e (v1 vl N 
Ima lpi il = [ha lO)l 


Hence, we obtain Tilo) > Irta (®)l, a contradiction with this case. 
— If there is j < i such that Tq (5) + Ta (Ws) (take smallest such 7), then for 
allj<m<n: Tg(Wm) = €, i.e., all messages sent after j are not matched. 


Hence, we have 


[Tall = [Tga i l= Ipa lO) (7) 
Thus, we have 
Toa lÔ) = [Ta (V1 hj- )| + I pas) a [pali Qi) 
> [ra (i W + alb + aly + 45) 
> [Toa (Y1: 5) = tq?) 


Hence, we only have to show that LAOI — [72,(0)| < k, which holds by (7). 
= 
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Theorem 7. (1) If S is k-synchronisable, then it is 4-k-bounded. (2) If S is k- 


synchronisable and has the eventual reception property, then it is k-exhaustive. 


Proof. Item (1) follows from Lemma 55: for any execution of S, there is an 
equivalent k-exchange, which is a k-match-bounded execution. Item (2) follows 
from Item (1) and Item (2) of Theorem 5. o 
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